QwikSec

Security Database

CVE

CWE

Training

CVE-2020-8289

Published: Dec 27, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434 suffer from improper certificate validation in `bztransmit` helper due to hardcoded whitelist of strings in URLs where validation is disabled leading to possible remote code execution via client update functionality.

Vendor	Product	Versions
n/a	Backblaze	affected `Backblaze for Windows before 7.0.1.433 and Backblaze for macOS before 7.0.1.434`

Weaknesses (CWE)

References

https://hackerone.com/reports/818853

x_refsource_MISC

https://youtu.be/W0THXbcX5V8

x_refsource_MISC

https://github.com/geffner/CVE-2020-8289/blob/master/README.md

x_refsource_MISC

https://www.backblaze.com/blog/backblaze-cloud-backup-release-7-0-1/

x_refsource_MISC

20201229 Re: [FD] CVE-2020-8150 - Remote Code Execution as SYSTEM/root via Backblaze

mailing-list

x_refsource_FULLDISC

20201229 Re: CVE-2020-8150 - Remote Code Execution as SYSTEM/root via Backblaze

mailing-list

x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.