Apache Fineract prior to 1.5.0 disables HTTPS hostname verification in ProcessorHelper in the configureClient method. Under typical deployments, a man in the middle attack could be successful.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2021/05/27/2 | Mailing List Third Party Advisory |
https://issues.apache.org/jira/browse/FINERACT-1211 | Patch Vendor Advisory |
https://lists.apache.org/thread.html/rc011b25289c8a6e14f8bc6d07e727382a1df3c8cf2aa5369598bbf64%40%3Cdev.fineract.apache.org%3E |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: apache
Published: 2021-05-27T12:10:10
Updated: 2021-05-27T17:06:10
Reserved: 2020-08-12T00:00:00
Link: CVE-2020-17514
JSON object: View
NVD Information
Status : Modified
Published: 2021-05-27T12:15:07.733
Modified: 2023-11-07T03:19:12.260
Link: CVE-2020-17514
JSON object: View
Redhat Information
No data.
CWE