OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the TLS certificate chain of an HTTPS server.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-27820
- https://github.com/zaproxy/zaproxy/releases
- https://www.openwall.com/lists/oss-security/2022/03/23/1
- http://www.openwall.com/lists/oss-security/2022/03/24/3
- https://github.com/zaproxy/zaproxy/issues/7165
- https://github.com/advisories/GHSA-j7xg-5549-jr3j