CVE-2020-7042

Опубликовано: 27 фев. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00009.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00011.html
Mailing List
Third Party Advisory
https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3
Patch
Third Party Advisory
https://github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4
Patch
Third Party Advisory
https://github.com/adrienverge/openfortivpn/issues/536
Issue Tracking
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKNKSGBVYGRRVRLFEFBEKUEJYJR5LWOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FF6HYIBREQGATRM5COF57MRQWKOKCWZ3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SRVVNXCNTNMPCIAZIVR4FAGYCSU53FNA/
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00009.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00011.html
Mailing List
Third Party Advisory
https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3
Patch
Third Party Advisory
https://github.com/adrienverge/openfortivpn/commit/cd9368c6a1b4ef91d77bb3fdbe2e5bc34aa6f4c4
Patch
Third Party Advisory
https://github.com/adrienverge/openfortivpn/issues/536
Issue Tracking
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKNKSGBVYGRRVRLFEFBEKUEJYJR5LWOF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FF6HYIBREQGATRM5COF57MRQWKOKCWZ3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SRVVNXCNTNMPCIAZIVR4FAGYCSU53FNA/

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:openfortivpn_project:openfortivpn:*:*:*:*:*:*:*:*

Версия до 1.12.0 (исключая)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Версия до 1.0.2 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

EPSS

Процентиль: 69%

0.00616

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

CVE-2020-7042

CVSS3: 5.3

ubuntu

почти 6 лет назад

CVE-2020-7042

CVSS3: 5.3

debian

почти 6 лет назад

An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL ...

GHSA-8w9v-97h7-m2j5

github

больше 3 лет назад

openSUSE-SU-2020:0301-1

suse-cvrf

почти 6 лет назад

Security update for openfortivpn

EPSS

Процентиль: 69%

0.00616

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-295