CVE-2021-39358

MEDIUM

libgfbgraph < 0.2.4 - Improper Certificate Validation in SoupSessionSync

Title source: llm

Description

In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable TLS certificate verification on the SoupSessionSync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.

References (5)

Core 5

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://gitlab.gnome.org/GNOME/libgfbgraph/-/issues/17

Vendor Advisory x_refsource_misc

https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYI47UX6S5PAOWVWQ2KID64MCTXTH7SE/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRCVZUNPTNFQQQCEZVP7RYY6OKHPDBC5/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WXXAF56BYLSES4UCLXKFCODZXTNAZ2G6/

Scores

CVSS v3 5.9

EPSS 0.0022

EPSS Percentile 44.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-295

Status published

Products (4)

fedoraproject/fedora 33

fedoraproject/fedora 34

fedoraproject/fedora 35

gnome/libgfbgraph < 0.2.4

Published Aug 22, 2021

Tracked Since Feb 18, 2026