{"api_version":"1","generated_at":"2026-04-23T01:14:50+00:00","cve":"CVE-2020-13645","urls":{"html":"https://cve.report/CVE-2020-13645","api":"https://cve.report/api/cve/CVE-2020-13645.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-13645","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-13645"},"summary":{"title":"CVE-2020-13645","description":"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2020-05-28 12:15:00","updated_at":"2023-11-07 03:16:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/","name":"FEDORA-2020-98ebbd1397","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 31 Update: glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/","name":"FEDORA-2020-cadbc5992f","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: mingw-glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/","name":"FEDORA-2020-98ebbd1397","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4405-1/","name":"USN-4405-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-4405-1: GLib Networking vulnerability | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://gitlab.gnome.org/GNOME/balsa/-/issues/34","name":"https://gitlab.gnome.org/GNOME/balsa/-/issues/34","refsource":"MISC","tags":["Exploit","Vendor Advisory"],"title":"GTlsClientConnection warning about NULL server-identity property (#34) · Issues · GNOME / balsa · GitLab","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/","name":"FEDORA-2020-a83c8cd358","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 32 Update: mingw-glib-networking-2.64.3-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/","name":"FEDORA-2020-a83c8cd358","refsource":"","tags":[],"title":"[SECURITY] Fedora 32 Update: mingw-glib-networking-2.64.3-1.fc32 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20200608-0004/","name":"https://security.netapp.com/advisory/ntap-20200608-0004/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"CVE-2020-13645 GNOME GLib Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://security.gentoo.org/glsa/202007-50","name":"GLSA-202007-50","refsource":"GENTOO","tags":["Third Party Advisory"],"title":"GLib Networking: Improper certificate validation (GLSA 202007-50) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/","name":"FEDORA-2020-cadbc5992f","refsource":"FEDORA","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] Fedora 31 Update: mingw-glib-networking-2.62.4-1.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135","name":"https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135","refsource":"MISC","tags":["Exploit","Vendor Advisory"],"title":"(CVE-2020-13645) GTlsClientConnection silently ignores unset server identity (#135) · Issues · GNOME / glib-networking · GitLab","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-13645","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-13645","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"broadcom","cpe5":"fabric_operating_system","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"20.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"20.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"31","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"32","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"balsa","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"balsa","cpe6":"2.6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"balsa","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"balsa","cpe6":"2.6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"glib-networking","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnome","cpe5":"glib-networking","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"brocade_fabric_os","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"netapp","cpe5":"brocade_fabric_os","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_backup","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"13645","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"cloud_backup","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-13645","qid":"296073","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 24.75.2 Missing (CPUJUL2020)"},{"cve":"CVE-2020-13645","qid":"500970","title":"Alpine Linux Security Update for glib-networking"},{"cve":"CVE-2020-13645","qid":"670486","title":"EulerOS Security Update for glib-networking (EulerOS-SA-2021-2244)"},{"cve":"CVE-2020-13645","qid":"670512","title":"EulerOS Security Update for glib-networking (EulerOS-SA-2021-2270)"},{"cve":"CVE-2020-13645","qid":"750924","title":"OpenSUSE Security Update for balsa (openSUSE-SU-2021:1094-1)"},{"cve":"CVE-2020-13645","qid":"751458","title":"OpenSUSE Security Update for glib-networking (openSUSE-SU-2021:3944-1)"},{"cve":"CVE-2020-13645","qid":"751478","title":"SUSE Enterprise Linux Security Update for glib-networking (SUSE-SU-2021:3997-1)"},{"cve":"CVE-2020-13645","qid":"751482","title":"SUSE Enterprise Linux Security Update for glib-networking (SUSE-SU-2021:4004-1)"},{"cve":"CVE-2020-13645","qid":"751520","title":"OpenSUSE Security Update for glib-networking (openSUSE-SU-2021:1554-1)"},{"cve":"CVE-2020-13645","qid":"900189","title":"CBL-Mariner Linux Security Update for glib-networking 2.59.1"},{"cve":"CVE-2020-13645","qid":"901195","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for glib-networking (6440-1)"},{"cve":"CVE-2020-13645","qid":"903398","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for glib-networking (1945)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2020-13645","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135","refsource":"MISC","name":"https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135"},{"url":"https://gitlab.gnome.org/GNOME/balsa/-/issues/34","refsource":"MISC","name":"https://gitlab.gnome.org/GNOME/balsa/-/issues/34"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20200608-0004/","url":"https://security.netapp.com/advisory/ntap-20200608-0004/"},{"refsource":"FEDORA","name":"FEDORA-2020-98ebbd1397","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/"},{"refsource":"FEDORA","name":"FEDORA-2020-cadbc5992f","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/"},{"refsource":"FEDORA","name":"FEDORA-2020-a83c8cd358","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/"},{"refsource":"UBUNTU","name":"USN-4405-1","url":"https://usn.ubuntu.com/4405-1/"},{"refsource":"GENTOO","name":"GLSA-202007-50","url":"https://security.gentoo.org/glsa/202007-50"}]}},"nvd":{"publishedDate":"2020-05-28 12:15:00","lastModifiedDate":"2023-11-07 03:16:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnome:balsa:2.6.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnome:balsa:*:*:*:*:*:*:*:*","versionEndExcluding":"2.5.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*","versionEndExcluding":"2.62.4","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnome:glib-networking:*:*:*:*:*:*:*:*","versionStartIncluding":"2.64.0","versionEndExcluding":"2.64.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"13645","Ordinal":"174830","Title":"CVE-2020-13645","CVE":"CVE-2020-13645","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"13645","Ordinal":"1","NoteData":"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"13645","Ordinal":"2","NoteData":"2020-05-28","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"13645","Ordinal":"3","NoteData":"2020-07-26","Type":"Other","Title":"Modified"}]}}}