Product Support

Vulnerability Report - Endpoint Certificate Validation using HTTP may Erroneously Succeed

 
Unisys ID: UIS-2020-1
Status: Published
CVE-ID: CVE-2020-12053
Affected Product: Stealth Solution
Affected Version: 3.4.x, 4.x, 5.0.024
Impact: LOW
CVSS v3.1 Base Score: 3.8
CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N  v3 Calculator
CVSS v2.0 Base Score: 3.2
CVSS v2.0 Vector: AV:N/AC:H/Au:M/C:P/I:P/A:N  v2 Calculator
Common Weakness Enumeration (CWE):  295
Common Platform Enumeration (CPE):  cpe:2.3:a:unisys:stealth(core):*:*:*:*:*
Source: Internal Reported
Keyword(s):
Vulnerability Description:
Endpoint certificate validation using HTTP may erroneously succeed
System Configuration:
Impact of Exploiting Vulnerability:
Potential for an unauthorized users to become authorized as a valid user.
Remediation Description:
Starting with release 5.0.026, if the authorization process detects a certificate authorization group without HTTPS, that authorization group is not started. Other authorization groups are not affected.
Workaround Information:
For 3.4.x, 4.x and 5.0 releases prior to 5.0.026, certificate authorization groups should be updated to use HTTPS instead of HTTP.
References:
PLE 19280021
Additional Vendor Comment:
 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.