<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Andale Mono";
panose-1:2 11 5 9 0 0 0 0 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hello everyone,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am looking for details about a vulnerability listed in JFrog X-Ray (see below) that does not have much data attached to it in the report (no CVE, no links to analysis). My end goal would be to eventually help resolve it, but I have no
data about the source to start from.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Anyone here that can help me assess it?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you for your time and assistance!<o:p></o:p></p>
<p class="MsoNormal">Angelo<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────┐<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Summary │ logback SSL Certificate Validation Failure MitM Spoofing │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Severity │ MEDIUM │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Description │ logback contains a flaw as X.509 certificates are not properly validated. By spoofing the TLS/SSL │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ server via a certificate that appears valid, an attacker with the ability to intercept network │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Type │ SECURITY │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Provider │ JFrog │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Issues │ 4.0/CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Edited │ 2021-04-15T09:22:04Z │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Created │ 2019-05-02T00:00:00.297Z │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Impact paths │ - │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ /sha256__11533f8a115abc3bbf6840bebe91a8616a0ee04cd4bdad4094ed62e6f86d4432.tar.gz/usr/share/fugu/li │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ b/ch.qos.logback-logback-core-1.2.3.jar │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ │ Affected component ID: gav://ch.qos.logback:logback-core:1.2.3 │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Vulnerable versions │ 1.0.12 ≤ Version ≤ 1.3.0-alpha5 │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">├─────────────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┤<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">│ Fixed versions │ │<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono"">└─────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────────────┘<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Andale Mono""><o:p> </o:p></span></p>
</div>
</body>
</html>