Vulnerability Details : CVE-2020-13645
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Exploit prediction scoring system (EPSS) score for CVE-2020-13645
Probability of exploitation activity in the next 30 days: 0.49%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-13645
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
nvd@nist.gov |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
nvd@nist.gov |
CWE ids for CVE-2020-13645
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13645
-
https://usn.ubuntu.com/4405-1/
USN-4405-1: GLib Networking vulnerability | Ubuntu security notices | UbuntuThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20200608-0004/
CVE-2020-13645 GNOME GLib Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://security.gentoo.org/glsa/202007-50
GLib Networking: Improper certificate validation (GLSA 202007-50) — Gentoo securityThird Party Advisory
-
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
(CVE-2020-13645) GTlsClientConnection silently ignores unset server identity (#135) · Issues · GNOME / glib-networking · GitLabExploit;Vendor Advisory
-
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
GTlsClientConnection warning about NULL server-identity property (#34) · Issues · GNOME / balsa · GitLabExploit;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/
[SECURITY] Fedora 32 Update: mingw-glib-networking-2.64.3-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/
[SECURITY] Fedora 31 Update: mingw-glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/
[SECURITY] Fedora 31 Update: glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Products affected by CVE-2020-13645
- cpe:2.3:a:gnome:balsa:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:balsa:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*