Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM
Vulnerability Description
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
对宿主不匹配的证书验证不恰当
Vulnerability Title
galaxy-fds-sdk-android 安全漏洞
Vulnerability Description
galaxy-fds-sdk-android是Xiaomi开源的一个用于小米文件数据存储的开发者工具包。 galaxy-fds-sdk-android 3.0.8及之前版本存在安全漏洞,该漏洞源于启用HTTPS时禁用TLS主机名验证,可能导致中间人攻击者拦截和修改通信,暴露身份验证凭据和文件内容。
CVSS Information
N/A
Vulnerability Type
N/A