SSL certificate verification disabled in pyload/pyload
Jan 19th 2023
When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
Proof of Concept
- Add package with a link whose host's SSL certificate is invalid. E.g.
- Go to the Files tab and see there is the content of the above-mentioned link.
This vulnerability is capable of allowing an attacker to intercept data sent over HTTPS connections .
A pyload/pyload maintainer validated this vulnerability 2 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
A pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev44 with commit a9098b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation