TLS Certificate Verification Bypass in GNOME glib-networking
CVE-2020-13645

6.5MEDIUM

Key Information:

Vendor

Gnome
Status
Balsa
Glib-networking
Vendor
CVE Published:
28 May 2020

What is CVE-2020-13645?

In GNOME glib-networking versions before 2.64.2, a vulnerability exists where GTlsClientConnection does not properly verify the hostname of a server’s TLS certificate if the application does not specify the expected server identity. This flaw allows applications, such as Balsa email client prior to version 2.5.11 and 2.6.x before 2.6.1, to accept a TLS certificate as valid for any host, defeating the intended security mechanism of certificate verification.

References

https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
x_refsource_MISC
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20200608-0004/
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.