libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHBA-2019:3674 | Third Party Advisory |
https://bugs.openldap.org/show_bug.cgi?id=9266 | Permissions Required Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1740070 | Issue Tracking Third Party Advisory |
https://kc.mcafee.com/corporate/index?page=content&id=SB10365 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
No history.
Information
Published : 2020-07-14 14:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-15719
Mitre link : CVE-2020-15719
CVE.ORG link : CVE-2020-15719
JSON object : View
Products Affected
oracle
- blockchain_platform
redhat
- enterprise_linux
opensuse
- leap
openldap
- openldap
mcafee
- policy_auditor
CWE
CWE-295
Improper Certificate Validation