[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS
From:       James Dailey <jamespdailey () gmail ! com>
Date:       2021-05-27 14:18:08
Message-ID: CANMpf86pR03Hea8=OsT5_PKADprCMvArOD7WfiGOCzQEWfCFRA () mail ! gmail ! com
[Download RAW message or body]


The fineract project announces release of 1.5.0 which - among other things
- fixes this issue.

*CVE-2020-17514: Disabled Hostname verification for HTTPS  *

[DESCRIPTION]:

*Critical*:  Apache Fineract disables HTTPS hostname verification in
`ProcessorHelper` in the `configureClient` method.

Under typical deployments, a man in the middle attack could be successful.

*Release branch*: The fix is available at
https://github.com/apache/fineract/tree/1.5.0.

*Acknowledgements*: We would like to thank Simon Gerst at
https://github.com/intrigus-lgtm  for reporting this issue, and the *Apache
Security team* for their assistance.
Reported to security team 15 October 2020
Fixed 19 October 2020
Update Released 23 May  2021
Issue public 26 May 2021
Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0,
1.2.0, 1.3.0, 1.4.0

[REFERENCES]:

https://issues.apache.org/jira/browse/FINERACT-1211


[prev in list] [next in list] [prev in thread] [next in thread]