CVE-2020-12105 — Improper Handling of Exceptional Conditions in Openconnect

CWE-755 — Improper Handling of Exceptional Conditions CWE-20 — Improper Input Validation8 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 61.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infradead Openconnect Opensuse Leap

Timeline

PublishedApr 23

Latest updateMay 24

Description

OpenConnect through 8.08 mishandles negative return values from X509_check_ function calls, which might assist attackers in performing man-in-the-middle attacks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶NVDinfradead/openconnect8.08

▶NVDopensuse/leap15.1

🔴Vulnerability Details

GHSA

GHSA-wr4v-x69c-q5jx: OpenConnect through 8↗2022-05-24

▶

CVEList

CVE-2020-12105: OpenConnect through 8↗2020-04-23

▶

OSV

CVE-2020-12105: OpenConnect through 8↗2020-04-23

▶

📋Vendor Advisories

Debian

CVE-2020-12105: openconnect - OpenConnect through 8.08 mishandles negative return values from X509_check_ func...↗2020

▶

💬Community

Bugzilla

CVE-2020-12105 openconnect: incorrect use of negative return values from X509_check_ functions can lead to MITM attacks [fedora-all]↗2020-05-21

▶

Bugzilla

CVE-2020-12105 openconnect: incorrect use of negative return values from X509_check_ functions can lead to MITM attacks↗2020-05-21

▶

Bugzilla

CVE-2020-12105 openconnect: incorrect use of negative return values from X509_check_ functions can lead to MITM attacks [epel-all]↗2020-05-21

▶