CVE-2020-15719

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
14/07/2020
Last modified:
12/05/2022

Description

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:* 2.4.46-10.el8 (excluding)
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
cpe:2.3:a:mcafee:policy_auditor:*:*:*:*:*:*:*:* 6.5.1 (excluding)
cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* 21.1.2 (excluding)