Miggo Logo

CVE-2020-24714: Scalyr Agent Missing SSL Certificate Validation

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.44836%
Published
5/24/2022
Updated
10/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
scalyr-agent-2pip< 2.1.102.1.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patches indicate a significant overhaul of the TLS connection handling in the Scalyr Agent, moving away from tlslite and towards the standard ssl module for Python. This change addresses the Missing SSL Certificate Validation vulnerability by ensuring proper certificate validation and hostname verification are performed during TLS connections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** S**lyr ***nt ***or* *.*.** **s Missin* SSL **rti*i**t* V*li**tion ****us*, in som* *ir*umst*n**s, t** op*nssl *in*ry is **ll** wit*out t** -v*ri*y_*ostn*m* option.

Reasoning

T** p*t***s in*i**t* * si*ni*i**nt ov*r**ul o* t** TLS *onn**tion **n*lin* in t** S**lyr ***nt, movin* *w*y *rom tlslit* *n* tow*r*s t** st*n**r* ssl mo*ul* *or Pyt*on. T*is ***n** ***r*ss*s t** Missin* SSL **rti*i**t* V*li**tion vuln*r**ility *y *ns