7.4
CVE-2020-17514
- EPSS 3.4%
- Veröffentlicht 27.05.2021 12:15:07
- Zuletzt bearbeitet 21.11.2024 05:08:15
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
disabled hostname verificiation
Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.4% | 0.873 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
http://www.openwall.com/lists/oss-security/2021/05/27/2
https://issues.apache.org/jira/browse/FINERACT-1211
https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E