CVE-2021-36377: 
NixOS vulnerability analysis and mitigation

CVE-2021-36377 affects Fossil versions before 2.14.2 and 2.15.x before 2.15.2, where the software often skips the hostname check during TLS certificate validation. The vulnerability was discovered in June 2021 and disclosed through the Fossil developers' chatroom (Fossil Forum).

The vulnerability is classified as CWE-295 (Improper Certificate Validation) with a CVSS v3.1 Base Score of 7.5 (HIGH). The technical issue involves the client-side TLS implementation failing to verify that the hostname of the server matched the hostname contained in the TLS certificate, allowing HTTPS connections to succeed with any valid certificate, regardless of hostname match (NVD).

When exploited, this vulnerability could allow an attacker to perform man-in-the-middle attacks since the TLS certificate validation process does not properly verify the hostname. This means that while connections are encrypted, they might not be connecting to the intended server, potentially exposing sensitive information to unauthorized parties (Fossil Forum).

Users are recommended to upgrade to one of the following versions: Fossil version 2.15.2, version 2.14.2, or any build dated 2021-06-15 or later. The vulnerability has been patched on the trunk, 2.15, and 2.14 branches (Fossil Forum, Fedora Advisory).