CVE-2021-44273

EUVD-2021-31119
e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Affected Products (NVD)
VendorProductVersion
e2bne2guardian
5.4.0 ≤
𝑥
≤ 5.4.3r
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
e2guardian
bookworm
5.3.5-4
fixed
bullseye
5.3.4-1+deb11u1
fixed
sid
5.5.6-1
fixed
stretch
ignored
trixie
5.5.5-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
e2guardian
bionic
needs-triage
focal
needs-triage
hirsute
ignored
impish
ignored
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2
https://github.com/e2guardian/e2guardian/issues/707
https://lists.debian.org/debian-lts-announce/2023/09/msg00010.html
http://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2
https://github.com/e2guardian/e2guardian/issues/707
https://lists.debian.org/debian-lts-announce/2023/09/msg00010.html