SSL certificate verification disabled in pyload/pyload

Valid

Reported on

Jan 19th 2023

Description

When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Proof of Concept

Add package with a link whose host's SSL certificate is invalid. E.g. https://self-signed.badssl.com/
Go to the Files tab and see there is the content of the above-mentioned link.

Impact

This vulnerability is capable of allowing an attacker to intercept data sent over HTTPS connections .

Occurrences

http_request.py L106

References

SSL certificate verification disabled in openframeworks/openframeworks

We are processing your report and will contact the pyload team within 24 hours. 2 months ago

We have contacted a member of the pyload team and are waiting to hear back 2 months ago

A pyload/pyload maintainer validated this vulnerability 2 months ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

A pyload/pyload maintainer marked this as fixed in 0.5.0b3.dev44 with commit a9098b 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

A pyload/pyload maintainer published this vulnerability 2 months ago

http_request.py#L106 has been validated

to join this conversation