CVE-2020-17514

3 documents3 sources
Severity
7.4HIGH
EPSS
0.8%
top 25.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache FineractApache Fineract
Timeline
PublishedMay 27
Latest updateMay 24

Description

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages2 packages

NVDapache/fineract< 1.5.0
CVEListV5apache_software_foundation/apache_fineractApache Fineract1.5.0

Patches

Patch: issues.apache.orgPatch: issues.apache.org

🔴Vulnerability Details

2
GHSA
GHSA-qwv7-pm3r-wfcw: Apache Fineract prior to 12022-05-24
CVEList
disabled hostname verificiation2021-05-27
CVE-2020-17514 (HIGH CVSS 7.4) | Apache Fineract prior to 1.5.0 disa | cvebase.io