Vulnerability CVE-2020-13645: Information

Description

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-13645
Published: May 28, 2020
Modified: Nov. 7, 2023
Error type identifier: CWE-295

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
glib-networkingsisyphus2.64.3-alt12.80.0-alt1ALT-PU-2020-2048-1251581Fixed
glib-networkingp102.64.3-alt12.68.3-alt1ALT-PU-2020-2048-1251581Fixed
glib-networkingp92.60.3-alt1.p9.12.60.3-alt1.p9.2ALT-PU-2020-3207-1260213Fixed
glib-networkingc10f12.64.3-alt12.68.3-alt1ALT-PU-2020-2048-1251581Fixed
glib-networkingc9f22.60.3-alt1.p9.12.60.3-alt1.p9.1ALT-PU-2020-3282-1261083Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
  • Exploit
  • Vendor Advisory
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
  • Exploit
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20200608-0004/
  • Third Party Advisory
USN-4405-1
  • Third Party Advisory
GLSA-202007-50
  • Third Party Advisory
FEDORA-2020-98ebbd1397
    FEDORA-2020-cadbc5992f
      FEDORA-2020-a83c8cd358

          1. Configuration 1

            cpe:2.3:a:gnome:balsa:2.6.0:*:*:*:*:*:*:*
            cpe:2.3:a:gnome:balsa:*:*:*:*:*:*:*:*
            End excliding
            2.5.11
            cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
            End excliding
            2.62.4
            cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
            Start including
            2.64.0
            End excliding
            2.64.3

            Configuration 2

            cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
            cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

            Configuration 3

            cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
            cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.1
        Back to top