CVE-2020-7042

MEDIUM

openfortivpn < 1.12.0 - Improper Certificate Validation

Title source: llm
STIX 2.1

Description

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).

References (8)

Core 8
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/adrienverge/openfortivpn/issues/536
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00009.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00011.html

Scores

CVSS v3 5.3
EPSS 0.0154
EPSS Percentile 71.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-295 CWE-908
Status published
Products (6)
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
openfortivpn_project/openfortivpn < 1.12.0
opensuse/backports_sle 15.0 sp1
opensuse/leap 15.1
Published Feb 27, 2020
Tracked Since Feb 18, 2026