{"id":"CVE-2020-26234","details":"Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.","aliases":["GHSA-44cw-p2hm-gpf6"],"modified":"2026-04-11T11:23:27.112831Z","published":"2020-12-08T23:15:12.060Z","related":["GHSA-44cw-p2hm-gpf6"],"references":[{"type":"ADVISORY","url":"https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6"},{"type":"FIX","url":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opencast/opencast","events":[{"introduced":"0"},{"fixed":"c0927fd177a16fb9cffe6f392861582d10345527"},{"introduced":"5bb6a93a43a7f7c47f789e46e4018c80b8c54c8b"},{"fixed":"a6755c9f3a3bd168075e6533a4a338241701e307"},{"fixed":"4225bf90af74557deaf8fb6b80b0705c9621acfc"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"7.9"},{"introduced":"8.0"},{"fixed":"8.9"}]}}],"database_specific":{"vanir_signatures_modified":"2026-04-11T11:23:27Z","vanir_signatures":[{"id":"CVE-2020-26234-01413629","digest":{"function_hash":"327109432411336250414956290650978932423","length":103},"deprecated":false,"target":{"function":"getAcceptedIssuers","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-0428f3dd","digest":{"function_hash":"263249292840919459147942955368873016510","length":760},"deprecated":false,"target":{"function":"makeHttpClient","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-05a9060c","digest":{"function_hash":"203933406073257927679797377721776597590","length":150},"deprecated":false,"target":{"function":"verify","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-06634641","digest":{"function_hash":"146709177834572249933651891866948945572","length":156},"deprecated":false,"target":{"function":"checkServerTrusted","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-5e846b9d","digest":{"function_hash":"3686685004918688748946987975203957045","length":139},"deprecated":false,"target":{"function":"verify","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-788fafcb","digest":{"function_hash":"151377040256237848782078696221456892382","length":569},"deprecated":false,"target":{"function":"createTrustManager","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-7c9af470","digest":{"function_hash":"306192249550679346978415369862643170783","length":151},"deprecated":false,"target":{"function":"verify","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-814d750c","digest":{"function_hash":"131537973306665995801838054688728276094","length":136},"deprecated":false,"target":{"function":"verify","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-a40cd9a8","digest":{"function_hash":"203404795811992004019295423138964071951","length":156},"deprecated":false,"target":{"function":"checkClientTrusted","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"},{"id":"CVE-2020-26234-c5ac9d2c","digest":{"line_hashes":["31093421165358474951537821415687433790","231066432682026796901888371607128612214","143657561559455396356666233750490401350","162690715822264526679288503882295015530","238784875431215025401623971803705944846","202272141043200503123483084559783106482","330105756778132893490589565650081697120","251252427217638427500594294352832499924","209157825380076793131082761291507213915","252317470776220132386583309731196625552","335301010581398448168201920453173774681","149424126489911931382587542659071309353","202874681446015085960842031960091470158","103591587911696741803079467994422157009","283274863308569377737282846037852469405","111987789603775853199882659322380376813","111462034920323071339227020656741472050","36723657838570367548782814226155092418","205760586296718063999300808853131711203","32658844959819684605219275137140783835","210480278624491971631169170726649495288","229369522811818289255979710865249023607","64964719968655906644498521377382895879","97301743485186266686760664630672310543","195625780064675215464873873340356386924","43675468380626260830367439290401058290","226628001500357358432864796091750391730","168978886872098207388523629717182878161","132919974779867272699764934153244955688","169359362591293366236779884205461214507","318862800665701022917687265208711995042","7562482601066629544332356939751056912","324598382637238194754886755290484931932","153847898653902695018837788759782437403","313668086847069948474097501923345958821","101904903894942924336833082594256195161","44821424633435535226404588296944952492","26520063065538584526416336338745168337","283059087938726120155551645265257418438","173405335480154247242165484205021746318","186619980323896583185374754314707200393","18048947128727635733459065113830173654","71826140353801077166303398217654567568","188466216754664841278380584849890663270","48434152954165415050358410996072630603","152276983859836113867121283856816121061","185523770410157532180933346808527408809","106217031653505190517978158265560791547","60944060518504969183123242674408108361","285448724220856325031968110223700874334","136432701260670323598079475854595556078","281753797992774887234092635197776151201","89596947515452281694142954152312429838","250398715432883654325633180466407642098","204645968045055214800540765852593045656","110462997206066787355060468485462681580","59747709575012961693722411884355551710","98303652869088692593626552359910140867","206448604114981791819444893599032429678","161210861206806463035231052918096578502","324126413718830382421501434804699130760","186850783165638853699245710005323074857","137120509755813903416127949676660822567","48328643926193365479381158969727867296","231567201497309472132968699611099046324","315714098840406946849889926733344418707","272797142042999373658993920508374400844","14789090626635011374114807195966297367","333726949397294573833859784190041405059","240204260903084712288426799000378500760","99446577366915969388665616877521578144","18727556555078773146720730440697769075","279142594300953703434293080341555779808","101741915926430256838572910237092999068","94100558916587806029375662081605276514","141701760980266698858380202368893780791","297010509492170874454927476913146779469","261027282966930838854090170945295692760","75021632562911340221762855132934090932"],"threshold":0.9},"deprecated":false,"target":{"file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Line"},{"id":"CVE-2020-26234-dab6a382","digest":{"function_hash":"258328183412079227782352374265129915640","length":676},"deprecated":false,"target":{"function":"createHostNameVerifier","file":"modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"},"source":"https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc","signature_version":"v1","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26234.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N"}]}