[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS
From: James Dailey <jamespdailey () gmail ! com>
Date: 2021-05-27 14:18:08
Message-ID: CANMpf86pR03Hea8=OsT5_PKADprCMvArOD7WfiGOCzQEWfCFRA () mail ! gmail ! com
[Download RAW message or body]
The fineract project announces release of 1.5.0 which - among other things
- fixes this issue.
*CVE-2020-17514: Disabled Hostname verification for HTTPS *
[DESCRIPTION]:
*Critical*: Apache Fineract disables HTTPS hostname verification in
`ProcessorHelper` in the `configureClient` method.
Under typical deployments, a man in the middle attack could be successful.
*Release branch*: The fix is available at
https://github.com/apache/fineract/tree/1.5.0.
*Acknowledgements*: We would like to thank Simon Gerst at
https://github.com/intrigus-lgtm for reporting this issue, and the *Apache
Security team* for their assistance.
Reported to security team 15 October 2020
Fixed 19 October 2020
Update Released 23 May 2021
Issue public 26 May 2021
Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0,
1.2.0, 1.3.0, 1.4.0
[REFERENCES]:
https://issues.apache.org/jira/browse/FINERACT-1211
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic