CVE-2020-14387
Published on: 05/27/2021 12:00:00 AM UTC
Last Modified on: 06/09/2021 02:54:00 PM UTC
Certain versions of Rsync from Samba contain the following vulnerability:
A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.
- CVE-2020-14387 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7.4 - HIGH
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | HIGH | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | HIGH | HIGH | NONE |
CVSS2 Score: 5.8 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | MEDIUM | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
1875549 – (CVE-2020-14387) CVE-2020-14387 rsync: rsync-ssl does not verify the hostname in the server certificate when using openssl | bugzilla.redhat.com text/html | MISC bugzilla.redhat.com/show_bug.cgi?id=1875549 |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Samba | Rsync | All | All | All | All |
Application | Samba | Rsync | 3.2.0 | - | All | All |
Application | Samba | Rsync | 3.2.0 | pre1 | All | All |
Application | Samba | Rsync | 3.2.0 | pre2 | All | All |
Application | Samba | Rsync | 3.2.0 | pre3 | All | All |
- cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*:
- cpe:2.3:a:samba:rsync:3.2.0:-:*:*:*:*:*:*:
- cpe:2.3:a:samba:rsync:3.2.0:pre1:*:*:*:*:*:*:
- cpe:2.3:a:samba:rsync:3.2.0:pre2:*:*:*:*:*:*:
- cpe:2.3:a:samba:rsync:3.2.0:pre3:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
@CVEreport | CVE-2020-14387 : A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with… twitter.com/i/web/status/1… | 2021-05-27 20:06:02 |
/r/netcve | CVE-2020-14387 | 2021-05-27 20:41:42 |