Couchbase .NET SDK Hostname Verification Vulnerability in TLS Certificates
Vulnerability
A vulnerability exists in the Couchbase .NET SDK (client library) in versions prior to 3.7.1, where hostname verification for TLS certificates is not properly enforced. This issue arises because the SDK was inadvertently configured to use IP addresses instead of hostnames, a setting that was incorrectly enabled by default.
Impact
This vulnerability could lead to man-in-the-middle attacks, where an attacker could intercept and potentially alter the communication between the client and server, exploiting the lack of proper hostname verification.
Reproduction
To reproduce this vulnerability, use a version of the Couchbase .NET SDK prior to 3.7.1. Establish a TLS connection to a server using a certificate that does not match the server's hostname. The SDK will accept the connection without proper verification, allowing for a potential man-in-the-middle attack.
Remediation
Upgrade to Couchbase .NET SDK version 3.7.1 or later, which addresses the hostname verification issue for TLS certificates.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.