CVE-2020-13645

Published: May 28, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

Affected (12)

Products: Gnome: Balsa, Glib Networking · Canonical: Ubuntu Linux · Fedoraproject: Fedora · +2 more

Show all products

Gnome: Balsa, Glib Networking · Canonical: Ubuntu Linux · Fedoraproject: Fedora · Broadcom: Fabric Operating System · Netapp: Cloud Backup

2 products

Glib Networking

1 product

1 product

1 product

Fabric Operating System

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Gnome Balsa	Before 2.5.11
Gnome Balsa	Version 2.6.0
Gnome Glib Networking	Before 2.62.4
Gnome Glib Networking	From 2.64.0 to 2.64.3

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.10
Canonical Ubuntu Linux	Version 20.04

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 31
Fedoraproject Fedora	Version 32

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Broadcom Fabric Operating System	All versions
Netapp Cloud Backup	All versions

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (16)

https://gitlab.gnome.org/GNOME/balsa/-/issues/34

Source: cve@mitre.org

ExploitVendor Advisory

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Source: cve@mitre.org

ExploitVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/

Source: cve@mitre.org

https://security.gentoo.org/glsa/202007-50

Source: cve@mitre.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200608-0004/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4405-1/

Source: cve@mitre.org

Third Party Advisory

https://gitlab.gnome.org/GNOME/balsa/-/issues/34

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202007-50

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20200608-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4405-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.