CVE-2020-13645

Name of the Vulnerable Software and Affected Versions glib-networking versions 2.64.2 and earlier Balsa versions prior to 2.5.11 and 2.6.x prior to 2.6.1

Description The implementation of GTlsClientConnection in glib-networking skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity, contrary to its intended behavior. This allows an attacker to obtain access to confidential data and compromise its integrity. Applications that fail to provide the server identity accept a TLS certificate if it is valid for any host.

Recommendations For glib-networking versions 2.64.2 and earlier, ensure that the application specifies the expected server identity to prevent skipping hostname verification of the server's TLS certificate. For Balsa versions prior to 2.5.11, update to version 2.5.11 or later. For Balsa versions 2.6.x prior to 2.6.1, update to version 2.6.1 or later. As a temporary workaround, consider restricting access to sensitive data until the issue is resolved.