Wiz
Vulnerability DatabaseCVE-2021-44273

CVE-2021-44273
Linux Debian vulnerability analysis and mitigation

Overview

CVE-2021-44273 affects e2guardian versions 5.4.x up to and including 5.4.3r, specifically when operating in standalone mode with SSL MITM enabled. The vulnerability was discovered in December 2021 and involves missing SSL certificate validation in the SSL MITM engine. When built with OpenSSL v1.1.x, e2guardian failed to validate hostnames in certificates of web servers it connected to (OSS Security, NVD).

Technical details

The vulnerability occurs when e2guardian is compiled against OpenSSL 1.1.x and operates in standalone mode (as a proxy or transparent proxy). The core issue is that the software did not implement proper certificate hostname validation, allowing connections to servers with mismatched hostnames in their SSL certificates. This was demonstrated through successful connections to domains like wrong.host.badssl.com that should normally be rejected (Github Issue). The vulnerability has been assigned a CVSS v3.1 base score of 7.4 (HIGH) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

Impact

The vulnerability significantly compromises the security of systems it was meant to protect. An attacker positioned between e2guardian and the target web server could perform man-in-the-middle (MITM) attacks by presenting any valid certificate, regardless of the hostname. This could lead to potential interception and manipulation of supposedly secure communications (OSS Security).

Mitigation and workarounds

The issue has been fixed in the v5.4 branch through a patch that implements proper certificate hostname validation. The fix involves adding X509VERIFYPARAMset1host verification for OpenSSL versions 1.1.0 and above (Github Commit). Systems using OpenSSL 1.0.2 or operating e2guardian as ICAP servers are not affected by this vulnerability (OSS Security).

Community reactions

Security researchers have noted that this vulnerability, along with similar incidents, suggests that requirements to MITM all SSL traffic might actually lower security rather than enhance it. This is because browsers typically have the best available quality of TLS implementations (OSS Security).

Additional resources

SourceThis report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-61729HIGH7.5
  • DockerDocker
  • golang-1.19
NoYesDec 02, 2025
CVE-2025-64460HIGH7.5
  • Linux DebianLinux Debian
  • python-django
NoYesDec 02, 2025
CVE-2025-65187MEDIUM6.1
  • Linux DebianLinux Debian
  • civicrm
NoNoDec 02, 2025
CVE-2025-65105MEDIUM4.5
  • Linux DebianLinux Debian
  • github.com/apptainer/apptainer
NoYesDec 02, 2025
CVE-2025-13372MEDIUM4.3
  • Linux DebianLinux Debian
  • py3-django
NoYesDec 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo