A critical vulnerability exists in the Uniffle HTTP client, impacting all versions prior to 0.10.0. The client is insecurely configured by default to trust all SSL certificates and disable hostname verification, which allows a network-based attacker to intercept, read, and modify all communication between Uniffle clients and the Coordinator service, potentially leading to data theft and system compromise.

The Uniffle HTTP client implements an insecure default TLS configuration. It is programmed to accept any SSL certificate presented by a server without proper validation and fails to verify that the certificate's hostname matches the server it is connecting to. An attacker with a privileged position on the network (e.g., on the same local network or a compromised network device) can exploit this by performing a Man-in-the-Middle (MITM) attack. The attacker can intercept the connection and present a self-signed or otherwise invalid certificate, which the client will trust, allowing the attacker to decrypt, monitor, and manipulate all REST API traffic in transit.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation could have a severe impact on the business by compromising the confidentiality and integrity of data transmitted to and from the Uniffle Coordinator service. An attacker could intercept sensitive credentials, proprietary data, or configuration details. Furthermore, by modifying API requests in transit, an attacker could potentially inject malicious commands, disrupt service operations, or escalate privileges within the environment, leading to a wider system compromise.

Immediate Action: Upgrade all affected Uniffle components to version 0.10.0 or later, which corrects the insecure TLS configuration. After patching, verify that all client-to-coordinator connections are successfully established using proper certificate validation.

Proactive Monitoring: Security teams should monitor network traffic for signs of MITM attacks, such as anomalous TLS handshakes or certificate errors originating from other, properly configured clients. Review Uniffle Coordinator service access logs for any unusual or unauthorized API calls that could indicate a past or ongoing compromise.

Compensating Controls: If immediate patching is not feasible, implement network segmentation to restrict communication to the Uniffle Coordinator service from only trusted network zones. Enforce end-to-end encryption at the transport layer using a technology like IPsec or a trusted VPN for all communication between Uniffle clients and the Coordinator.

Public Exploit Available: false

Given the critical CVSS score of 9.1 and the fundamental risk of a Man-in-the-Middle attack, we strongly recommend that organizations prioritize patching this vulnerability immediately. All instances of Uniffle should be upgraded to version 0.10.0 or a later release without delay. Although this CVE is not currently on the CISA KEV list, the severity warrants urgent attention to prevent potential data breaches and system compromise.