NVD Vulnerability Detail

CVE-2020-8289

Summary	Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality.
Publication Date	Dec. 27, 2020, 11:15 a.m.
Registration Date	Jan. 26, 2021, 12:01 p.m.
Last Update	Nov. 21, 2024, 2:38 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:backblaze:backblaze::::::macos::*				7.0.1.434
cpe:2.3:a:backblaze:backblaze::::::windows::*				7.0.1.433

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2020/Dec/57	Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2020/Dec/57	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2020/Dec/58	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2020/Dec/58	Mailing List Third Party Advisory
5	https://github.com/geffner/CVE-2020-8289/blob/master/README.md	Exploit Third Party Advisory
6	https://github.com/geffner/CVE-2020-8289/blob/master/README.md	Exploit Third Party Advisory
7	https://hackerone.com/reports/818853	Permissions Required
8	https://hackerone.com/reports/818853	Permissions Required
9	https://www.backblaze.com/blog/backblaze-cloud-backup-release-7-0-1/	Third Party Advisory
10	https://www.backblaze.com/blog/backblaze-cloud-backup-release-7-0-1/	Third Party Advisory
11	https://youtu.be/W0THXbcX5V8	Exploit Third Party Advisory
12	https://youtu.be/W0THXbcX5V8	Exploit Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

JVN Vulnerability Information

Backblaze の複数の OS 用 backblaze における証明書検証に関する脆弱性

Title	Backblaze の複数の OS 用 backblaze における証明書検証に関する脆弱性
Summary	Backblaze の複数の OS 用 backblaze には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 27, 2020, midnight
Registration Date	July 18, 2024, 7:28 p.m.
Last Update	July 18, 2024, 7:28 p.m.

Affected System

Backblaze

backblaze 7.0.1.433 未満

backblaze 7.0.1.434 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8289	https://www.cve.org/CVERecord?id=CVE-2020-8289
National Vulnerability Database (NVD)
2	CVE-2020-8289	https://nvd.nist.gov/vuln/detail/CVE-2020-8289

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

その他

No	Name	URL
関連文書
1	github.com (README.md)	https://github.com/geffner/CVE-2020-8289/blob/master/README.md
2	seclists.org (Dec/57)	http://seclists.org/fulldisclosure/2020/Dec/57
3	seclists.org (Dec/58)	http://seclists.org/fulldisclosure/2020/Dec/58
4	www.backblaze.com (backblaze-cloud-backup-release-7-0-1)	https://www.backblaze.com/blog/backblaze-cloud-backup-release-7-0-1/
5	youtu.be (W0THXbcX5V8)	https://youtu.be/W0THXbcX5V8

Change Log

No	Changed Details	Date of change
1	[2024年07月18日] 掲載	July 18, 2024, 6:57 p.m.