CVE-2020-15719

Description

libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux.

How to fix CVE-2020-15719

To remediate CVE-2020-15719, upgrade the affected package to a fixed version below.

Bitnami/openldap—upgrade to 2.4.46-10.el8 or later
—no fix listed

Is CVE-2020-15719 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.4.46-10.el8
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

References (9)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-15719
WEBlists.opensuse.org/opensuse-security-announce/2020-09/msg00033.html
WEBlists.opensuse.org/opensuse-security-announce/2020-09/msg00059.html
WEBaccess.redhat.com/errata/RHBA-2019:3674