CVE-2020-13645
Description
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In glib-networking through 2.64.2, TLS hostname verification is skipped if an application fails to specify the expected server identity, enabling man-in-the-middle attacks.
Vulnerability
In GNOME glib-networking through version 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate when the application fails to specify the expected server identity [1]. This contradicts the documented intended behavior, which requires that certificate verification should fail in such cases [1]. Applications that do not provide the server identity, including Balsa versions before 2.5.11 and 2.6.x before 2.6.1, accept any TLS certificate that is valid for any host [1].
Exploitation
An attacker in a privileged network position can perform a person-in-the-middle attack by presenting any valid TLS certificate to a vulnerable application. The attack requires no authentication or user interaction beyond the normal network traffic. If the application does not explicitly specify the expected server hostname, glib-networking will not verify the hostname match, allowing the attacker to intercept communications [1].
Impact
Successful exploitation leads to disclosure of sensitive information that the user exchanges with the intended server, as communications can be decrypted and monitored by the attacker [1]. The impact is limited to applications that rely on glib-networking and fail to set the server identity; the compromise scope is per-session data exposure.
Mitigation
Fixed versions are available: for Ubuntu, update glib-networking to the patched version provided in the Ubuntu security notice USN-4405-1 [1]. Users should also ensure any dependent application (such as Balsa) is updated to version 2.5.11 or 2.6.1 respectively [1]. No workaround other than applying the patch or updating the application to correctly specify the server identity has been published [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
37- GNOME/glib-networkingdescription
- Range: <2.5.11, <2.6.1
- Range: <=2.64.2
- osv-coords34 versionspkg:rpm/opensuse/balsa&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/balsa&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/glib-networking&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/glib-networking&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/glib-networking&distro=openSUSE%20Tumbleweedpkg:rpm/suse/balsa&distro=SUSE%20Package%20Hub%2015%20SP2pkg:rpm/suse/balsa&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/glib-networking&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/glib-networking&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/glib-networking&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/glib-networking&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/glib-networking&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/glib-networking&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/glib-networking&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.6.1-bp153.2.3.1+ 33 more
- (no CPE)range: < 2.6.1-bp153.2.3.1
- (no CPE)range: < 2.6.1-bp153.2.3.1
- (no CPE)range: < 2.62.4-lp152.2.3.1
- (no CPE)range: < 2.62.4-3.3.1
- (no CPE)range: < 2.68.1-1.3
- (no CPE)range: < 2.6.1-bp153.2.3.1
- (no CPE)range: < 2.6.1-bp153.2.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.62.4-3.3.1
- (no CPE)range: < 2.62.4-3.3.1
- (no CPE)range: < 2.62.4-3.3.1
- (no CPE)range: < 2.62.4-3.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.54.1-3.6.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
- (no CPE)range: < 2.48.2-6.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HLEX2IP62SU6WJ4SK3U766XGLQK3J62O/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LRCUM22YEWWKNMN2BP5LTVDM5P4VWIXS/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQEQJQ4XFMFCFJTEXKL2ZO3UELBPCKSK/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202007-50mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4405-1/mitrevendor-advisoryx_refsource_UBUNTU
- gitlab.gnome.org/GNOME/balsa/-/issues/34mitrex_refsource_MISC
- gitlab.gnome.org/GNOME/glib-networking/-/issues/135mitrex_refsource_MISC
- security.netapp.com/advisory/ntap-20200608-0004/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.