CVE-2020-7042

Severity CVSS v4.0:
Pending analysis
Type:
CWE-295 Improper Certificate Validation
Publication date:
27/02/2020
Last modified:
07/11/2023

Description

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:openfortivpn_project:openfortivpn:*:*:*:*:*:*:*:* 1.12.0 (excluding)
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* 1.0.2 (including)
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*