CVE-2021-39365
5.9 MEDIUMIn GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leavi...
Published: 2021-08-22 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 5.9 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-295
Affected products
| Vendor | Product |
|---|---|
| debian | debian_linux, grilo |
| gnome | debian_linux, grilo |
Description
In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS certificate verification on the SoupSessionAsync objects it creates, leaving users vulnerable to network MITM attacks. NOTE: this is similar to CVE-2016-20011.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39365
- [Vendor advisory]https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
- [Patch]https://gitlab.gnome.org/GNOME/grilo/-/issues/146
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00010.html
- [Other]https://www.debian.org/security/2021/dsa-4964
- [Vendor advisory]https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
- [Patch]https://gitlab.gnome.org/GNOME/grilo/-/issues/146
- [Other]https://lists.debian.org/debian-lts-announce/2021/09/msg00010.html
- [Other]https://www.debian.org/security/2021/dsa-4964
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-49975 — Memory Allocation with Excessive Size Value vulnerability in Apache HTTP Server's mod_http leads to denial of service via malicious HTTP ... (7.5 HIGH)
- CVE-2026-31431 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
- CVE-2026-5201 — A flaw was found in the gdk-pixbuf library (7.5 HIGH)
Same CWE
- CVE-2025-71261 — An attacker with network-level access between the SUSE Virtualization and Rancher Manager in SUSE Harvester before 1.8.0 could interfere... (8.6 HIGH)
- CVE-2026-9259 — Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier (6.5 MEDIUM)
- CVE-2026-9258 — Improper validation of SSH host keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier (6.5 MEDIUM)
- CVE-2026-45388 — In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows imp... (9.1 CRITICAL)
- CVE-2026-45170 — Idira Privilege Cloud Connector versions prior 1.1.100504 under specific conditions and configuration scenarios, TLS certificate validati...