CVE-2015-4456 - ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::ignoreSslErrors with the list of e

CVE-2015-4456

Summary

ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which allows man-in-the-middle attackers to bypass the user's certificate distrust decision and obtain sensitive information by leveraging a self-signed certificate and a connection to a server using its own self-signed certificate. <a href="http://cwe.mitre.org/data/definitions/297.html" target="_blank">CWE-297: Improper Validation of Certificate with Host Mismatch</a>

References

Vulnerable Configurations

cpe:2.3:a:owncloud:owncloud_desktop_client:*:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud_desktop_client:*:*:*:*:*:*:*:*

CVSS

Base:	2.6 (as of 24-12-2016 - 02:59)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	HIGH	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:H/Au:N/C:P/I:N/A:N

refmap via4

bid	75354
confirm	https://github.com/owncloud/client/issues/3283 https://owncloud.org/security/advisory/?id=oc-sa-2015-009
debian	DSA-3363

Last major update

24-12-2016 - 02:59

Published

26-10-2015 - 14:59

Last modified

24-12-2016 - 02:59