stunnel stunnel 证书验证不恰当

admin

0
文章

0
评论

2023-12-01 16:08:13 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 stunnel stunnel 证书验证不恰当

CVE编号

CVE-2021-20230

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-02-24

漏洞描述

A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use both redirect and verifyChain options. This flaw allows an attacker with a certificate signed by a Certificate Authority, which is not the one accepted by the stunnel server, to access the tunneled service instead of being redirected to the address specified in the redirect option. The highest threat from this vulnerability is to confidentiality.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://bugzilla.redhat.com/show_bug.cgi?id=1925226
https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9
https://security.gentoo.org/glsa/202105-02

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	stunnel	stunnel	*		Up to (excluding) 5.57
	运行在以下环境
	系统	anolis_os_8	stunnel	*		Up to (excluding) 5.48-6
	运行在以下环境
	系统	anolis_os_8.2	stunnel	*		Up to (excluding) 5.48-6
	运行在以下环境
	系统	centos_8	stunnel	*		Up to (excluding) 5.56-5.el8_3
	运行在以下环境
	系统	debian_10	stunnel4	*		Up to (including) 5.50-3
	运行在以下环境
	系统	debian_11	stunnel4	*		Up to (excluding) 3:5.56+dfsg-8
	运行在以下环境
	系统	debian_12	stunnel4	*		Up to (excluding) 3:5.56+dfsg-8
	运行在以下环境
	系统	debian_9	stunnel4	*		Up to (including) 5.39-2
	运行在以下环境
	系统	debian_sid	stunnel4	*		Up to (excluding) 3:5.56+dfsg-8
	运行在以下环境
	系统	opensuse_Leap_15.2	stunnel-doc	*		Up to (excluding) 5.57-lp152.2.6.1
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 5.56-5.el8_3
	运行在以下环境
	系统	redhat_8	stunnel	*		Up to (excluding) 5.56-5.el8_3