libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.
References
Link | Resource |
---|---|
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html | Mailing List Third Party Advisory |
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html | Mailing List Third Party Advisory |
https://access.redhat.com/errata/RHBA-2019:3674 | Third Party Advisory |
https://bugs.openldap.org/show_bug.cgi?id=9266 | Permissions Required Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1740070 | Issue Tracking Third Party Advisory |
https://kc.mcafee.com/corporate/index?page=content&id=SB10365 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpuapr2022.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-07-14T13:47:31
Updated: 2022-04-19T23:21:45
Reserved: 2020-07-14T00:00:00
Link: CVE-2020-15719
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-07-14T14:15:17.667
Modified: 2022-05-12T15:01:09.437
Link: CVE-2020-15719
JSON object: View
Redhat Information
No data.
CWE