FKIE_CVE-2024-29887

Vulnerability from fkie_nvd - Published: 2024-03-27 19:15 - Updated: 2025-12-19 18:20
Severity ?
7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. Upgrading to version `1.2.6` resolves this issue.
References
security-advisories@github.comhttps://github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71Patch
security-advisories@github.comhttps://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fwVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fwVendor Advisory
Impacted products
Vendor Product Version
serverpod serverpod *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:serverpod:serverpod:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2C260FA-6F65-4949-8FE7-0CAB169EEB27",
              "versionEndExcluding": "1.2.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Serverpod is an app and web server, built for the Flutter and Dart ecosystem. This bug bypassed the validation of TSL certificates on all none web HTTP clients in the `serverpod_client` package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server. An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used. Upgrading to version `1.2.6` resolves this issue.\n\n"
    },
    {
      "lang": "es",
      "value": "Serverpod es una aplicaci\u00f3n y un servidor web, creado para el ecosistema Flutter y Dart. Este error omiti\u00f3 la validaci\u00f3n de los certificados TSL en todos los clientes HTTP que no son web en el paquete `serverpod_client`. Haci\u00e9ndolos susceptibles a un ataque de intermediario contra el tr\u00e1fico cifrado entre el dispositivo cliente y el servidor. Un atacante tendr\u00eda que poder interceptar el tr\u00e1fico y secuestrar la conexi\u00f3n al servidor para poder utilizar esta vulnerabilidad. La actualizaci\u00f3n a la versi\u00f3n `1.2.6` resuelve este problema."
    }
  ],
  "id": "CVE-2024-29887",
  "lastModified": "2025-12-19T18:20:45.847",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-27T19:15:49.230",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/serverpod/serverpod/commit/d55bf8d12967fc7955a875cb3e0f9693bd6d2c71"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.