CVE-2020-15719

Publication date 14 July 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

4.2 · Medium

Score breakdown

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

Read the notes from the security team

Status

Package Ubuntu Release Status
openldap 20.04 LTS focal
Not affected
19.10 eoan Ignored end of life
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


mdeslaur

See RH bug for possible regression fixes per upstream bug, this is an issue with a RH patch to openldap and doesn't apply to upstream openldap. Marking as not-affected since Ubuntu does not carry the patch.

Severity score breakdown

Parameter Value
Base score 4.2 · Medium
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N