MyProxy 5.0 through 5.2, as used in Globus Toolkit 5.0.0 through 5.0.2, does not properly verify the (1) hostname or (2) identity in the X.509 certificate for the myproxy-server, which allows remote attackers to spoof the server and conduct man-in-the-middle (MITM) attacks via a crafted certificate when executing (a) myproxy-logon or (b) myproxy-get-delegation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| globus | globus_toolkit | 5.0.0 |
| ncsa | myproxy | 5.1 |
| globus | globus_toolkit | 5.0.2 |
| ncsa | myproxy | 5.0 |
| ncsa | myproxy | 5.2 |
| globus | globus_toolkit | 5.0.1 |
The GridFTP in Globus Toolkit (GT) before 5.2.2, when certain autoconf macros are defined, does not properly check the return value from the getpwnam_r function, which might allow remote attackers to gain privileges by logging in with a user that does not exist, which causes GridFTP to run as the last user in the password file.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| globus | globus_toolkit | * |
| globus | globus_toolkit | 5.0.0 |
| globus | globus_toolkit | 5.2.0 |
| globus | globus_toolkit | 2.4.3 |
| globus | globus_toolkit | 5.0.4 |
| globus | globus_toolkit | 4.0.6 |
| globus | globus_toolkit | 4.0.1 |
| globus | globus_toolkit | 5.0.1 |
| globus | globus_toolkit | 2.0 |
| globus | globus_toolkit | 4.0.8 |
| globus | globus_toolkit | 5.0.2 |
| globus | globus_toolkit | 4.0.4 |
| globus | globus_toolkit | 5.0.3 |
| globus | globus_toolkit | 4.2.0 |
| globus | globus_toolkit | 2.2 |
| globus | globus_toolkit | 3.2.1 |
| globus | globus_toolkit | 4.2.1 |
| globus | globus_toolkit | 3.0.2 |
| globus | globus_toolkit | 4.0.0 |
| globus | globus_toolkit | 4.0.2 |
| globus | globus_toolkit | 4.0.7 |
| globus | globus_toolkit | 5.0.5 |
| globus | globus_toolkit | 4.0.3 |
| globus | globus_toolkit | 4.0.5 |