CVE-2020-15719
Severity CVSS v4.0:
Pending analysis
Type:
CWE-295
Improper Certificate Validation
Publication date:
14/07/2020
Last modified:
12/05/2022
Description
libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
Impact
Base Score 3.x
4.20
Severity 3.x
MEDIUM
Base Score 2.0
4.00
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:* | 2.4.46-10.el8 (excluding) | |
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* | ||
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* | ||
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:* | ||
cpe:2.3:a:mcafee:policy_auditor:*:*:*:*:*:*:*:* | 6.5.1 (excluding) | |
cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* | 21.1.2 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html
- https://access.redhat.com/errata/RHBA-2019:3674
- https://bugs.openldap.org/show_bug.cgi?id=9266
- https://bugzilla.redhat.com/show_bug.cgi?id=1740070
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://www.oracle.com/security-alerts/cpuapr2022.html