Major Description
- Vulnerability Description: In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.
- Reason it’s vulnerable: It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded true. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.
- Suggested Fix: Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
- Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -
- Liked it and will make the suggested changes
- Liked it but happy with the existing version
- Didn’t find the suggestion helpful
Attachments
Issue Links
- links to