In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC prior to 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
tigervnc tigervnc |
||
debian debian linux 9.0 |
||
opensuse leap 15.2 |