Описание
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-297: Improper Validation of Certificate with Host Mismatch vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform uses secure HTTPS connections over TLS 1.2, reducing the risk of improper certificate validation, including host mismatches. All public key certificates for externally facing systems are obtained from approved service providers to ensure only trusted Certificate Authorities (CAs) are included in platform trust stores. Internal and external certificates are established and maintained within a secure environment. The platform also enforces the use of FIPS-validated cryptographic modules across all compute resources, helping prevent unauthorized actors from accessing or interpreting data, even if intercepted. These measures ensure that only certificates from trusted CAs are accepted, minimizing the risk of host mismatches and the acceptance of forged or invalid certificates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | glib-networking | Out of support scope | ||
| Red Hat Enterprise Linux 7 | glib-networking | Will not fix | ||
| Red Hat Enterprise Linux 8 | glib-networking | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
In GNOME glib-networking through 2.64.2 the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior to fail the certificate verification. Applications that fail to provide the server identity including Balsa before 2.5.11 and 2.6.x before 2.6.1 accept a TLS certificate if the certificate is valid for any host.
In GNOME glib-networking through 2.64.2, the implementation of GTlsCli ...
EPSS
6.5 Medium
CVSS3