[jira] [Created] (CMIS-1112) Customized HostnameVerifier bypasses the hostname verification

Ya Xiao (Jira) Sat, 16 Jan 2021 13:55:05 -0800

Ya Xiao created CMIS-1112:
-----------------------------

             Summary: Customized HostnameVerifier bypasses the hostname 
verification
                 Key: CMIS-1112
                 URL: https://issues.apache.org/jira/browse/CMIS-1112
             Project: Chemistry
          Issue Type: Improvement
            Reporter: Ya Xiao



In file 
[chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|[https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java],]
 the customized HostnameVerfier allows all hostname to pass the verification 
(at Line 412).

*Security Impact*:

Hostname Verification is required to verify the identity of the other party. 
Bypassing it could allow man-in-the-middle attacks.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/297.html]

*Solution we suggest:*

Do not customize the HostnameVerifier or specify the verification logic instead 
of allowing all hostnames. 

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (CMIS-1112) Customized HostnameVerifier bypasses the hostname verification

Reply via email to