Improper Certificate Validation in Backblaze - CVE-2020-8289
Published: December 27, 2020 / Updated: January 11, 2021
Vulnerability identifier: #VU49189
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2020-8289
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Backblaze
Affected software:
Backblaze
Backblaze
Detailed vulnerability description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper certificate validation in Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 in in `bztransmit` helper due to hardcoded whitelist of strings in URLs. A remote attacker can perform MitM attack, interfere with the update functionality.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
How to mitigate CVE-2020-8289
Install updates from vendor's website.