GHSA-3xgr-h5hq-7299: GeoIP processor disables SSL certificate validation when downloading databases
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:
- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
References
Code Behaviors & Features
Detect and mitigate GHSA-3xgr-h5hq-7299 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →