CVE-2020-13645
Published: 28 May 2020
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Notes
| Author | Note |
|---|---|
| mdeslaur | fixing this issue in glib-networking will require fixing balsa too |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
balsa Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| eoan |
Released
(2.5.6-2ubuntu0.1)
|
|
| focal |
Released
(2.6.0-2ubuntu0.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
Patches: upstream: https://gitlab.gnome.org/GNOME/balsa/-/commit/e8952e3ccb1bb5094a6f8920e7c274e2e7dae184 |
||
|
glib-networking Launchpad, Ubuntu, Debian |
bionic |
Released
(2.56.0-1ubuntu0.1)
|
| eoan |
Released
(2.62.1-1ubuntu0.1)
|
|
| focal |
Released
(2.64.2-1ubuntu0.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.48.2-1~ubuntu16.04.2)
|
|
|
Patches: upstream: https://gitlab.gnome.org/GNOME/glib-networking/-/commit/29513946809590c4912550f6f8620468f9836d94 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |