CVE-2021-44273

e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate validation in the SSL MITM engine. In standalone mode (i.e., acting as a proxy or a transparent proxy), with SSL MITM enabled, e2guardian, if built with OpenSSL v1.1.x, did not validate hostnames in certificates of the web servers that it connected to, and thus was itself vulnerable to MITM attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 38%
VendorProductVersion
e2bne2guardian
5.4.0 ≤
𝑥
≤ 5.4.3r
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
e2guardian
bullseye
5.3.4-1+deb11u1
fixed
stretch
ignored
bookworm
5.3.5-4
fixed
trixie
5.5.5-1
fixed
sid
5.5.6-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
e2guardian
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
focal
needs-triage
bionic
needs-triage
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2
https://github.com/e2guardian/e2guardian/issues/707
https://lists.debian.org/debian-lts-announce/2023/09/msg00010.html
http://www.openwall.com/lists/oss-security/2021/12/23/2
https://github.com/e2guardian/e2guardian/commit/eae46a7e2a57103aadca903c4a24cca94dc502a2
https://github.com/e2guardian/e2guardian/issues/707
https://lists.debian.org/debian-lts-announce/2023/09/msg00010.html