disabled hostname verificiation
CVE-2020-17514

7.4HIGH

Key Information:

Vendor: Apache
Status: Apache Fineract
Vendor: CVE Published:; 27 May 2021

Summary

Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.

Affected Version(s)

Apache Fineract Apache Fineract < 1.5.0

References

https://issues.apache.org/jira/browse/FINERACT-1211

x_refsource_MISC

https://lists.apache.org/thread.html/rc011b25289c8a6e14f8...

mailing-listx_refsource_MLIST

http://www.openwall.com/lists/oss-security/2021/05/27/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 27, 2021
Vulnerability Reserved
Aug 12, 2020

Credit

We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue