Vulnerability Details : CVE-2020-27589
Potential exploit
Synopsys hub-rest-api-python (aka blackduck on PyPI) version 0.0.25 - 0.0.52 does not validate SSL certificates in certain cases.
Products affected by CVE-2020-27589
- Synopsys » Hub-rest-api-pythonVersions from including (>=) 0.0.25 and up to, including, (<=) 0.0.52cpe:2.3:a:synopsys:hub-rest-api-python:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-27589
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-27589
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-27589
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-27589
-
https://github.com/blackducksoftware/hub-rest-api-python
GitHub - blackducksoftware/hub-rest-api-python: HUB REST API Python bindingsThird Party Advisory
-
https://pypi.org/project/blackduck/
blackduck · PyPIThird Party Advisory
-
https://www.optiv.com/explore-optiv-insights/source-zero/certificate-validation-disabled-black-duck-api-wrapper
Certificate Validation Disabled in Black Duck API Wrapper | OptivExploit;Third Party Advisory
-
https://github.com/blackducksoftware/hub-rest-api-python/pull/113/commits/273b27d0de1004389dd8cf43c40b1197c787e7cd
fixed use of hard-coded values for the verify parameter being supplied to requests calls by gsnyder2007 · Pull Request #113 · blackducksoftware/hub-rest-api-python · GitHubPatch;Third Party Advisory
-
https://community.synopsys.com/s/question/0D52H00005JCZAXSA5/announcement-black-duck-defect-identified
[ANNOUNCEMENT] Black Duck Defect IdentifiedVendor Advisory
Jump to