CVE-2018-1000664 — MEDIUM (5.9)

Vulnerability Description

daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains a CWE-295: Improper Certificate Validation vulnerability in HTTPS Client that can result in Any non-CA signed server certificate, including self signed and expired, are accepted by the client. This attack appear to be exploitable via The victim connects to a server that's MITM/Proxied by an attacker.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Dsub For Subsonic Project	Dsub For Subsonic	5.4.1

Related Weaknesses (CWE)

CWE-295

References

https://github.com/daneren2005/Subsonic/issues/60Issue TrackingVendor Advisory
https://github.com/daneren2005/Subsonic/issues/60Issue TrackingVendor Advisory

FAQ

What is CVE-2018-1000664?

CVE-2018-1000664 is a vulnerability with a CVSS score of 5.9 (MEDIUM). daneren2005 DSub for Subsonic (Android client) version 5.4.1 contains a CWE-295: Improper Certificate Validation vulnerability in HTTPS Client that can result in Any non-CA signed server certificate, ...

How severe is CVE-2018-1000664?

CVE-2018-1000664 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000664?

Check the references section above for vendor advisories and patch information. Affected products include: Dsub For Subsonic Project Dsub For Subsonic.