CVE-2020-15719

Severity Score

4.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

libldap en determinados paquetes OpenLDAP de terceros presenta un fallo de comprobación de certificados cuando el paquete de terceros está afirmando que admite RFC6125. Considera CN incluso cuando se presenta un subjectAltName (SAN) no coincidente. Esto es corregido, por ejemplo, en la versión openldap-2.4.46-10.el8 en Red Hat Enterprise

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-07-14 CVE Reserved
2020-07-14 CVE Published
2024-08-04 CVE Updated
2024-11-07 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (6)

URL	Tag	Source
https://access.redhat.com/errata/RHBA-2019:3674	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1740070	Issue Tracking
https://kc.mcafee.com/corporate/index?page=content&id=SB10365	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/security-alerts/cpuapr2022.html	2022-05-12

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html	2022-05-12
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html	2022-05-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openldap Search vendor "Openldap"		Openldap Search vendor "Openldap" for product "Openldap"				< 2.4.46-10.el8 Search vendor "Openldap" for product "Openldap" and version " < 2.4.46-10.el8"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.2 Search vendor "Opensuse" for product "Leap" and version "15.2"		-		Affected
Mcafee Search vendor "Mcafee"		Policy Auditor Search vendor "Mcafee" for product "Policy Auditor"				< 6.5.1 Search vendor "Mcafee" for product "Policy Auditor" and version " < 6.5.1"		-		Affected
Oracle Search vendor "Oracle"		Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform"				< 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2"		-		Affected