CVE-2022-27820: 
Java vulnerability analysis and mitigation

OWASP Zed Attack Proxy (ZAP) through version 2022-03-21 contains a security vulnerability where it does not verify the TLS certificate chain of HTTPS servers. This vulnerability was assigned CVE-2022-27820 and was initially reported through BugCrowd (GitHub Issue, OSS Security).

The vulnerability stems from ZAP's behavior of not validating certificate chains when connecting to HTTPS servers. When connecting to a server with a self-signed or invalid certificate, ZAP generates a valid certificate from its own certificate authority, which is then configured as trusted in the browser to enable TLS interception. This occurs without warning or verification of the original server's certificate chain (OSS Security).

The vulnerability exposes users to two main security risks: 1) Man-in-the-middle (MITM) attacks where sensitive information could be intercepted when using a browser through ZAP, particularly concerning for existing browser profiles and active sessions, and 2) DNS rebinding attacks against HTTPS services configured as default virtual hosts, which could potentially allow attackers to conduct password brute force attempts, send stored XSS payloads, or target internal network services (GitHub Issue).

Two potential solutions were proposed: 1) Mirror the status of the original certificate chain by not generating a ZAP-signed certificate when the HTTPS server presents an untrusted certificate chain, and replicating the validity period of the original certificate, or 2) Reject invalid certificate chains entirely, similar to mitmproxy's approach of returning a 502 error with an explanation of the certificate verification failure (GitHub Issue).