oss-sec mailing list archives
CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS
From: James Dailey <jamespdailey () gmail com>
Date: Thu, 27 May 2021 07:18:08 -0700
The fineract project announces release of 1.5.0 which - among other things - fixes this issue. *CVE-2020-17514: Disabled Hostname verification for HTTPS * [DESCRIPTION]: *Critical*: Apache Fineract disables HTTPS hostname verification in `ProcessorHelper` in the `configureClient` method. Under typical deployments, a man in the middle attack could be successful. *Release branch*: The fix is available at https://github.com/apache/fineract/tree/1.5.0. *Acknowledgements*: We would like to thank Simon Gerst at https://github.com/intrigus-lgtm for reporting this issue, and the *Apache Security team* for their assistance. Reported to security team 15 October 2020 Fixed 19 October 2020 Update Released 23 May 2021 Issue public 26 May 2021 Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0 [REFERENCES]: https://issues.apache.org/jira/browse/FINERACT-1211
Current thread:
- CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS James Dailey (May 27)