Missing hostname validation allows an attacker to perform a monster in the middle attack against users of the library.
Missing SSL/TLS certificate hostname validation
An attacker can assume the identity of a trusted server and introduce malicious data in an otherwise trusted place.
Implement hostname validation.
- 18/05/2020: Report sent to Vendor
- 18/05/2020: Vendor acknowledged report
- 19/05/2020: Report published to public
This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).
You can contact the GHSL team at
firstname.lastname@example.org, please include the
GHSL-2020-095 in any communication regarding this issue.