Vulnerability Description
libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the default behavior of SoupSessionSync.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Libgrss | <= 0.7.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.gnome.org/show_bug.cgi?id=772647Issue TrackingVendor Advisory
- https://gitlab.gnome.org/GNOME/libgrss/-/issues/4Issue TrackingVendor Advisory
- https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7.patchMailing ListPatchVendor Advisory
- https://bugzilla.gnome.org/show_bug.cgi?id=772647Issue TrackingVendor Advisory
- https://gitlab.gnome.org/GNOME/libgrss/-/issues/4Issue TrackingVendor Advisory
- https://gitlab.gnome.org/GNOME/libgrss/-/merge_requests/7.patchMailing ListPatchVendor Advisory
FAQ
What is CVE-2016-20011?
CVE-2016-20011 is a vulnerability with a CVSS score of 7.5 (HIGH). libgrss through 0.7.0 fails to perform TLS certificate verification when downloading feeds, allowing remote attackers to manipulate the contents of feeds without detection. This occurs because of the ...
How severe is CVE-2016-20011?
CVE-2016-20011 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-20011?
Check the references section above for vendor advisories and patch information. Affected products include: Gnome Libgrss.