Login Sign Up

CVE-2021-36377

7.5 HIGH

📋 TL;DR

This vulnerability in Fossil SCM software allows attackers to perform man-in-the-middle attacks by bypassing TLS certificate hostname validation. When Fossil connects to remote repositories over HTTPS, it may accept certificates that don't match the expected hostname, enabling interception of sensitive data. All users of affected Fossil versions are at risk when cloning or syncing with remote repositories.

💻 Affected Systems

Products:
  • Fossil SCM
Versions: All versions before 2.14.2 and 2.15.x before 2.15.2
Operating Systems: All platforms where Fossil runs
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects HTTPS connections to remote repositories; local repositories are not affected.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fossil by Fossil Scm

View all CVEs affecting Fossil →

Fossil by Fossil Scm

View all CVEs affecting Fossil →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept and modify source code, commit history, or sensitive credentials during repository operations, potentially injecting malicious code or stealing intellectual property.

🟠

Likely Case

Man-in-the-middle attackers intercept repository traffic in untrusted networks, potentially accessing sensitive source code or commit metadata.

🟢

If Mitigated

With proper network controls and certificate pinning, impact is limited to denial of service if certificate validation fails.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires man-in-the-middle position on network path between client and repository server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.2 or 2.15.2

Vendor Advisory: https://fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036

Restart Required: No

Instructions:

1. Download latest Fossil version from fossil-scm.org
2. Replace existing fossil binary with new version
3. No restart needed - takes effect immediately

🔧 Temporary Workarounds

Use SSH instead of HTTPS

all

Configure Fossil to use SSH protocol for repository operations instead of HTTPS

fossil clone ssh://user@host/path/to/repo.fossil
fossil remote-url set ssh://user@host/path/to/repo.fossil

Use local repositories only

all

Avoid syncing with remote repositories until patched

🧯 If You Can't Patch

  • Use VPN or trusted network for all repository operations
  • Implement certificate pinning at network level using proxy or firewall

🔍 How to Verify

Check if Vulnerable:

Run 'fossil version' and check if version is before 2.14.2 or between 2.15.0-2.15.1

Check Version:

fossil version

Verify Fix Applied:

Confirm version is 2.14.2 or higher, or 2.15.2 or higher

📡 Detection & Monitoring

Log Indicators:

  • Failed TLS certificate validation warnings
  • Unexpected repository connection sources

Network Indicators:

  • HTTPS traffic to Fossil repositories from unexpected locations
  • Certificate validation failures in network logs

SIEM Query:

source="fossil" AND (event="certificate_validation_failed" OR event="tls_error")

📊 Metadata

CVE ID: CVE-2021-36377
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-295
Published: July 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36377, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)