The Uniffle HTTP client is configured to trust all SSL certificates and disables hostname verification by default. This insecure configuration exposes all REST API communication between the Uniffle CLI/client and the Uniffle Coordinator service to potential Man-in-the-Middle (MITM) attacks.
This issue affects all versions from before 0.10.0. Users are recommended to upgrade to version 0.10.0, which fixes the issue. roryqi <[email protected]> 于2025年12月27日周六 18:31写道: > > Severity: > > Affected versions: > > - undefined before 0.10.0 > > Description: > > A vulnerability. > > This issue affects undefined: from before 0.10.0. > > Users are recommended to upgrade to version 0.10.0, which fixes the issue. > > Credit: > > omkar parkhe (finder) > > References: > > https://uniffle.apache.org > https://www.cve.org/CVERecord?id=CVE-2025-68637 > >
