CVE-2020-13645 — Improper Certificate Validation in Balsa
Severity
6.5MEDIUMNVD
EPSS
0.6%
top 30.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 28
Latest updateMay 24
Description
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5
Affected Packages2 packages
Also affects: Fedora 31, 32, Ubuntu Linux 16.04, 18.04, 19.10, 20.04
🔴Vulnerability Details
3📋Vendor Advisories
4Microsoft▶
In GNOME glib-networking through 2.64.2 the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server i↗2020-05-12
Debian▶
CVE-2020-13645: glib-networking - In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnect...↗2020
💬Community
3Bugzilla▶
CVE-2020-13645 glib-networking: GTlsClientConnection silently ignores unset server identity [fedora-all]↗2020-06-01
Bugzilla▶
CVE-2020-13645 glib-networking: GTlsClientConnection silently ignores unset server identity↗2020-06-01
Bugzilla▶
CVE-2020-13645 mingw-glib-networking: glib-networking: GTlsClientConnection silently ignores unset server identity [fedora-all]↗2020-06-01