CVE-2025-68637
BaseFortify
Publication date: 2026-01-07
Last updated on: 2026-01-16
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | uniffle | to 0.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is that the Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure setup means that the REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service can be intercepted or tampered with by attackers through Man-in-the-Middle (MITM) attacks.
How can this vulnerability impact me? :
This vulnerability can allow attackers to intercept, read, or modify the data exchanged between the Uniffle client and coordinator service. This could lead to unauthorized access, data leakage, or manipulation of the communication, compromising the security and integrity of the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Uniffle HTTP client to version 0.10.0 or later, as this version fixes the insecure configuration that trusts all SSL certificates and disables hostname verification, thereby mitigating the risk of Man-in-the-Middle (MITM) attacks.