Miggo Logo
Miggo Vulnerability Database
CVE-2023-25392

CVE-2023-25392: Allegro Tech BigFlow vulnerable to Missing SSL Certificate Validation

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-25392
GHSA ID
GHSA-w6q2-48ch-fj26
EPSS Score
0.22875%
CWE
CWE-295
Published
4/10/2023
Updated
2/11/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
bigflowpip< 1.6.01.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability root cause was identified in the get_vault_token function where certificate validation was explicitly disabled. This is confirmed by:

  1. The GitHub commit diff showing verify=False being used in requests.get
  2. The CWE-295 (Improper Certificate Validation) mapping
  3. The security advisory explicitly mentioning MITM vulnerability in Vault endpoint handling
  4. Lutra Security's analysis showing this was the primary vulnerable code path
  5. The patch adding a vault_endpoint_verify parameter to control validation

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll**ro T*** *i**low prior to *.*.* is vuln*r**l* to Missin* SSL **rti*i**t* V*li**tion.

Reasoning

T** vuln*r**ility root **us* w*s i**nti*i** in t** **t_v*ult_tok*n *un*tion w**r* **rti*i**t* v*li**tion w*s *xpli*itly *is**l**. T*is is *on*irm** *y: *. T** *it*u* *ommit *i** s*owin* v*ri*y=**ls* **in* us** in r*qu*sts.**t *. T** *W*-*** (Improp*r