5.3
CVE-2020-7042
- EPSS 0.84%
- Published 27.02.2020 18:15:11
- Last modified 21.11.2024 05:36:32
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL 1.0.2 or later. tunnel.c mishandles certificate validation because the hostname check operates on uninitialized memory. The outcome is that a valid certificate is never accepted (only a malformed certificate may be accepted).
Data is provided by the National Vulnerability Database (NVD)
Openfortivpn Project ≫ Openfortivpn Version < 1.12.0
Fedoraproject ≫ Fedora Version30
Fedoraproject ≫ Fedora Version31
Fedoraproject ≫ Fedora Version32
Opensuse ≫ Backports Sle Version15.0 Updatesp1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.84% | 0.741 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
CWE-908 Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.