Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+p5cO4ATn-ZDp0GvrokrQkJW1D4AJ54qm5X-Lxyn_w0YzRcfg@mail.gmail.com>
Date: Mon, 17 Nov 2025 13:00:42 +0530
From: tanish saxena <tanish.saxena26@...il.com>
To: oss-security@...ts.openwall.com
Subject: GitGuardian GGShield SSL/TLS Verification Bypass (No CVE)

Hello,

This is a public disclosure of a security issue identified in GitGuardian's
GGShield CLI tool: an SSL/TLS certificate verification bypass triggered
through
the `--allow-self-signed` flag and related configuration.

Although this issue did not receive a CVE assignment, it was escalated
through
proper coordinated disclosure channels, including CERT/CC. Vendor has since
implemented mitigations in GGShield v1.44.1.

---

Summary
-------
Product: GGShield (GitGuardian secrets scanning CLI)
Affected Versions: ≤ v1.43.0
Type: SSL/TLS Verification Disablement (CWE-295)
Impact: Man-in-the-middle risk on all API communications
Disclosure Status: Public, vendor updated behavior in v1.44.1

---

Technical Details
-----------------

GGShield provides an option called `--allow-self-signed` which internally
disables *all* SSL/TLS certificate verification, not only self-signed
certificate checks.

Code:

    def create_session(allow_self_signed: bool = False) -> Session:
        session = Session()
        if allow_self_signed:
            urllib3.disable_warnings()
            session.verify = False  # All certificate validation disabled
        return session

This effectively makes all GGShield API calls vulnerable to interception via
Man-in-the-Middle (MitM) attacks, leakage of scanned content, credential
theft,
and manipulation of scan results.

---

Attack Scenarios
----------------
1. Developer on untrusted WiFi using `--allow-self-signed`
2. CI/CD pipelines where troubleshooting instructions suggest bypassing SSL
3. Enterprise networks with transparent proxies abusing disabled validation
4. Internal threat actor with network access

---

Vendor Response & Mitigations
-----------------------------

In GGShield v1.44.1, GitGuardian introduced several improvements:

- Added a new `--insecure` flag to clearly indicate total SSL bypass
- Added prominent warnings when SSL verification is disabled
- Deprecated the misleading `--allow-self-signed` flag
- Recommended using system certificate trust stores instead

These changes mitigate user confusion and reduce accidental insecure usage.

---

Timeline
--------
2025-09-20 – Initial report to vendor
2025-10-13 – Vendor responds, considers behavior “intentional”
2025-10-20 – Vendor declines changes at that time
2025-11-13 – CERT/CC advises researcher to proceed with public disclosure
2025-11-16 – Vendor releases v1.44.1 with mitigations (1week)
2025-11-17 – Public disclosure

---

Author
------
Tanish Saxena
Independent Security Researcher

This disclosure is provided in good faith for user protection and awareness.

Regards,
Tanish

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.