PT-2020-20453 · Couchbase+1 · Couchbase Server Java Sdk+1
Published
2020-06-08
·
Updated
2020-06-11
·
CVE-2020-9040
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Couchbase Server Java SDK versions prior to 2.7.1.1
Description
The issue allows a potential attacker to forge an SSL certificate and pose as the intended peer. This can be achieved by crafting a cryptographically valid certificate that will be accepted due to missing hostname verification in the Java SDK's Netty component.
Recommendations
For versions prior to 2.7.1.1, update to version 2.7.1.1 or later to resolve the issue.
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Couchbase Server Java Sdk
Netty