Vulnerability Details : CVE-2020-25680
A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity.
Products affected by CVE-2020-25680
- cpe:2.3:a:redhat:jboss_core_services_httpd:2.4.37:sp3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25680
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25680
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:N |
8.0
|
4.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST |
CWE ids for CVE-2020-25680
-
The product does not validate, or incorrectly validates, a certificate.Assigned by: secalert@redhat.com (Primary)
References for CVE-2020-25680
-
https://bugzilla.redhat.com/show_bug.cgi?id=1892703
1892703 – (CVE-2020-25680) CVE-2020-25680 httpd: allow connecting via SSL to a backend worker when the backend keystore file's ID is 'unknown'Issue Tracking;Third Party Advisory
Jump to