CVE-2020-13645

MEDIUM

GNOME glib-networking <= 2.64.2 - Improper Certificate Validation

Title source: llm
STIX 2.1

Description

In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.

References (8)

Core 8
Core References
Exploit, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
Exploit, Vendor Advisory x_refsource_misc
https://gitlab.gnome.org/GNOME/balsa/-/issues/34
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200608-0004/
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4405-1/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202007-50

Scores

CVSS v3 6.5
EPSS 0.0061
EPSS Percentile 70.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE
CWE-295
Status published
Products (11)
broadcom/fabric_operating_system
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.10
canonical/ubuntu_linux 20.04
fedoraproject/fedora 31
fedoraproject/fedora 32
gnome/balsa 2.6.0
gnome/balsa < 2.5.11
gnome/glib-networking < 2.62.4
... and 1 more
Published May 28, 2020
Tracked Since Feb 18, 2026