{"id":"CVE-2020-13645","details":"In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.","modified":"2026-04-16T04:34:09.845992614Z","published":"2020-05-28T12:15:11.173Z","related":["SUSE-SU-2021:3944-1","SUSE-SU-2021:3997-1","SUSE-SU-2021:4004-1","openSUSE-SU-2021:1094-1","openSUSE-SU-2021:1554-1","openSUSE-SU-2021:3944-1","openSUSE-SU-2024:10790-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-50"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200608-0004/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4405-1/"},{"type":"EVIDENCE","url":"https://gitlab.gnome.org/GNOME/balsa/-/issues/34"},{"type":"EVIDENCE","url":"https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gnome/glib-networking","events":[{"introduced":"0"},{"fixed":"6708b357c59d7655f10d7b69c194178c9ccc447f"},{"introduced":"c8a3134693712055d4bff35ca18bf936e3f0df07"},{"fixed":"533d3a76e2cc622b072e3ec789f69e888f3fd8eb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.62.4"},{"introduced":"2.64.0"},{"fixed":"2.64.3"}]}},{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/balsa","events":[{"introduced":"0"},{"fixed":"f07d097cfef79f993b38c62870fd32f27f0d15a2"},{"introduced":"0"},{"last_affected":"f88ed9be84d182668e809c6f06d733b5d288f302"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.5.11"},{"introduced":"0"},{"last_affected":"2.6.0"}]}}],"versions":["2.25.0","2.26.0","2.27.4","2.27.5","2.27.90","2.28.0","2.28.4","2.28.5","2.28.6","2.29.15","2.29.18","2.29.9","2.29.92","2.31.0","2.31.16","2.31.2","2.31.20","2.31.22","2.31.6","2.32.0","2.32.1","2.33.10","2.33.12","2.33.14","2.33.14.1","2.33.2","2.34","2.35.1","2.35.3","2.35.4","2.35.6","2.35.8","2.35.9","2.36.0","2.37.1","2.37.2","2.37.4","2.37.5","2.38.0","2.38.1","2.39.1","2.39.3","2.39.90","2.40.0","2.41.3","2.41.4","2.41.92","2.42.0","2.43.1","2.43.91","2.43.92","2.44.0","2.45.1","2.46.0","2.47.1","2.48.0","2.48.1","2.48.2","2.49.90","2.5.10","2.5.3a","2.5.4","2.5.5","2.5.6","2.5.7a","2.5.8","2.5.9","2.50.0","2.53.90","2.54.0","2.55.1","2.55.2","2.55.90","2.57.1","2.57.2","2.57.3","2.57.90","2.57.92","2.58.0","2.59.1","2.59.2","2.59.90","2.59.91","2.59.92","2.6.0","2.60.0","2.60.0.1","2.60.1","2.60.2","2.61.1","2.61.2","2.61.90","2.61.92","2.62.0","2.62.1","2.62.2","2.62.3","2.64.0","2.64.1","2.64.2","BALSA_1_0_0","BALSA_1_1_0","BALSA_1_1_1","BALSA_1_1_2","BALSA_1_1_4","BALSA_1_1_7","BALSA_1_2_0","BALSA_1_2_2","BALSA_1_2_pre2","BALSA_1_3_0","BALSA_1_3_3","BALSA_1_3_4","BALSA_1_3_5","BALSA_1_3_6","BALSA_1_4_0","BALSA_1_4_1","BALSA_2_0_13","BALSA_2_0_8","BALSA_2_0_9","BALSA_2_1_1","BALSA_2_1_2","BALSA_2_1_3","BALSA_2_1_91","BALSA_2_2_1","BALSA_2_2_2","BALSA_2_2_4","BALSA_2_2_5","BALSA_2_2_6","BALSA_2_3_0","BALSA_2_3_1","BALSA_2_3_10","BALSA_2_3_12","BALSA_2_3_13","BALSA_2_3_15","BALSA_2_3_19","BALSA_2_3_2","BALSA_2_3_20","BALSA_2_3_24","BALSA_2_3_26","BALSA_2_3_3","BALSA_2_3_4","BALSA_2_3_5","BALSA_2_3_7","BALSA_2_3_8","GNOME0","GNOME_MEDIA_1_2_2","GNOME_PRINT_0_24","WITHXMHTML","balsa-0-8","balsa-0-9-5","balsa-0_6_0","before-new-toolbars","dev_0_9_1","glib-2.33.3","initial-BALSA-CONFIG","release_tag"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13645.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}