CVE-2020-8987 - OpenCVE

Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with "Allow filtering of HTTPS traffic for tracking detection" enabled. (This is the default configuration.)

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avast	Antitrack Avg Antitrack

Configuration 1 [-]

OR	cpe:2.3:a:avast:antitrack::::::::
	cpe:2.3:a:avast:avg_antitrack::::::::

No data.

References

Link	Providers
https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast
https://www.davideade.com/2020/03/avast-antitrack.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-09T16:38:32

Updated: 2024-08-04T10:19:19.752Z

Reserved: 2020-02-13T00:00:00

Link: CVE-2020-8987

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-03-09T17:15:12.307

Modified: 2020-03-10T18:34:21.237

Link: CVE-2020-8987

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2020-03-06T00:00:00", "descriptions": [{"lang": "en", "value": "Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with \"Allow filtering of HTTPS traffic for tracking detection\" enabled. (This is the default configuration.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-09T16:38:32", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast"}, {"tags": ["x_refsource_MISC"], "url": "https://www.davideade.com/2020/03/avast-antitrack.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8987", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with \"Allow filtering of HTTPS traffic for tracking detection\" enabled. (This is the default configuration.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast", "refsource": "CONFIRM", "url": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast"}, {"name": "https://www.davideade.com/2020/03/avast-antitrack.html", "refsource": "MISC", "url": "https://www.davideade.com/2020/03/avast-antitrack.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:19:19.752Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.davideade.com/2020/03/avast-antitrack.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8987", "datePublished": "2020-03-09T16:38:32", "dateReserved": "2020-02-13T00:00:00", "dateUpdated": "2024-08-04T10:19:19.752Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avast:antitrack:*:*:*:*:*:*:*:*", "matchCriteriaId": "21120919-90BA-4DCC-93EC-3445AB7E9B47", "versionEndExcluding": "1.5.1.172", "vulnerable": true}, {"criteria": "cpe:2.3:a:avast:avg_antitrack:*:*:*:*:*:*:*:*", "matchCriteriaId": "9BAD0CC5-24B6-4E48-A537-1F37E664BF7C", "versionEndExcluding": "2.0.0.178", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Avast AntiTrack before 1.5.1.172 and AVG Antitrack before 2.0.0.178 proxies traffic to HTTPS sites but does not validate certificates, and thus a man-in-the-middle can host a malicious website using a self-signed certificate. No special action necessary by the victim using AntiTrack with \"Allow filtering of HTTPS traffic for tracking detection\" enabled. (This is the default configuration.)"}, {"lang": "es", "value": "Avast AntiTrack versiones anteriores a 1.5.1.172 y AVG Antitrack versiones anteriores a 2.0.0.178, env\u00edan tr\u00e1fico hacia los sitios HTTPS pero no se comprueban los certificados, por lo que un ataque de tipo man-in-the-middle puede alojar un sitio web malicioso usando un certificado autofirmado. Una v\u00edctima no necesita ninguna acci\u00f3n especial usando AntiTrack con \"Allow filtering of HTTPS traffic for tracking detection\" habilitado. (Esta es la configuraci\u00f3n predeterminada.)"}], "id": "CVE-2020-8987", "lastModified": "2020-03-10T18:34:21.237", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-09T17:15:12.307", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.avast.com/hacker-hall-of-fame/en/researcher-david-eade-reports-antitrack-bug-to-avast"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.davideade.com/2020/03/avast-antitrack.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}