Vulnerability Details : CVE-2020-13645
Potential exploit
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Products affected by CVE-2020-13645
- cpe:2.3:a:gnome:balsa:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:balsa:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13645
1.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13645
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST |
CWE ids for CVE-2020-13645
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13645
-
https://usn.ubuntu.com/4405-1/
USN-4405-1: GLib Networking vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20200608-0004/
CVE-2020-13645 GNOME GLib Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://security.gentoo.org/glsa/202007-50
GLib Networking: Improper certificate validation (GLSA 202007-50) — Gentoo securityThird Party Advisory
-
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
(CVE-2020-13645) GTlsClientConnection silently ignores unset server identity (#135) · Issues · GNOME / glib-networking · GitLabExploit;Vendor Advisory
-
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
GTlsClientConnection warning about NULL server-identity property (#34) · Issues · GNOME / balsa · GitLabExploit;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/
[SECURITY] Fedora 32 Update: mingw-glib-networking-2.64.3-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/
[SECURITY] Fedora 31 Update: mingw-glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
[SECURITY] Fedora 31 Update: glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to