CVE-2020-26234
low-risk
Published 2020-12-08
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.
Do I need to act?
-
0.08% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10
Medium
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (4)
Third Party Advisory
https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6
Third Party Advisory
https://github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6
20
/ 100
low-risk
Severity
15/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal