What is the severity of CVE-2020-25680?

CVE-2020-25680 is categorized as a medium severity vulnerability.

How do I fix CVE-2020-25680?

To fix CVE-2020-25680, update the affected JBCS httpd packages to version 2.4.37-64.jbcs.el6 or el7 or later as recommended.

Which software versions are affected by CVE-2020-25680?

CVE-2020-25680 affects JBCS httpd version 2.4.37 SP3 and earlier versions.

What is the impact of CVE-2020-25680?

The impact of CVE-2020-25680 is that it allows connections to the back-end worker even when the SSL certificate validation fails.

Is there a workaround for CVE-2020-25680?

There is no official workaround for CVE-2020-25680, and updating to a patched version is recommended.

Vulnerability/
CVE-2020-25680

medium

5.5

CWE

295

29/10/2020

7/1/2021

4/8/2024

CVE-2020-25680

First published: Thu Oct 29 2020(Updated: )

A flaw was found in JBCS httpd in version 2.4.37 SP3, where it uses a back-end worker SSL certificate with the keystore file's ID is 'unknown'. The validation of the certificate whether CN and hostname are matching stopped working and allow connecting to the back-end work. The highest threat from this vulnerability is to data integrity.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/jbcs-httpd24-apr	<0:1.6.3-104.jbcs.el6	0:1.6.3-104.jbcs.el6
redhat/jbcs-httpd24-apr-util	<0:1.6.1-75.jbcs.el6	0:1.6.1-75.jbcs.el6
redhat/jbcs-httpd24-brotli	<0:1.0.6-38.jbcs.el6	0:1.0.6-38.jbcs.el6
redhat/jbcs-httpd24-curl	<0:7.64.1-44.jbcs.el6	0:7.64.1-44.jbcs.el6
redhat/jbcs-httpd24-httpd	<0:2.4.37-64.jbcs.el6	0:2.4.37-64.jbcs.el6
redhat/jbcs-httpd24-jansson	<0:2.11-53.jbcs.el6	0:2.11-53.jbcs.el6
redhat/jbcs-httpd24-nghttp2	<0:1.39.2-34.jbcs.el6	0:1.39.2-34.jbcs.el6
redhat/jbcs-httpd24-openssl	<1:1.1.1c-32.jbcs.el6	1:1.1.1c-32.jbcs.el6
redhat/jbcs-httpd24-apr	<0:1.6.3-104.jbcs.el7	0:1.6.3-104.jbcs.el7
redhat/jbcs-httpd24-apr-util	<0:1.6.1-75.jbcs.el7	0:1.6.1-75.jbcs.el7
redhat/jbcs-httpd24-brotli	<0:1.0.6-38.jbcs.el7	0:1.0.6-38.jbcs.el7
redhat/jbcs-httpd24-curl	<0:7.64.1-44.jbcs.el7	0:7.64.1-44.jbcs.el7
redhat/jbcs-httpd24-httpd	<0:2.4.37-64.jbcs.el7	0:2.4.37-64.jbcs.el7
redhat/jbcs-httpd24-jansson	<0:2.11-53.jbcs.el7	0:2.11-53.jbcs.el7
redhat/jbcs-httpd24-nghttp2	<0:1.39.2-34.jbcs.el7	0:1.39.2-34.jbcs.el7
redhat/jbcs-httpd24-openssl	<1:1.1.1c-32.jbcs.el7	1:1.1.1c-32.jbcs.el7
redhat/jbcs-httpd24-openssl-chil	<0:1.0.0-1.jbcs.el7	0:1.0.0-1.jbcs.el7
redhat/JBCS httpd	<2.4.37	2.4.37
Red Hat JBoss Core Services httpd	=2.4.37-sp3

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2020:4384

Frequently Asked Questions

What is the severity of CVE-2020-25680?
CVE-2020-25680 is categorized as a medium severity vulnerability.
How do I fix CVE-2020-25680?
To fix CVE-2020-25680, update the affected JBCS httpd packages to version 2.4.37-64.jbcs.el6 or el7 or later as recommended.
Which software versions are affected by CVE-2020-25680?
CVE-2020-25680 affects JBCS httpd version 2.4.37 SP3 and earlier versions.
What is the impact of CVE-2020-25680?
The impact of CVE-2020-25680 is that it allows connections to the back-end worker even when the SSL certificate validation fails.
Is there a workaround for CVE-2020-25680?
There is no official workaround for CVE-2020-25680, and updating to a patched version is recommended.

collector/redhat-cve
agent/first-publish-date
agent/type
agent/softwarecombine
agent/references
agent/severity
agent/weakness
agent/author
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-25680
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/redhat
canonical/red hat jboss core services httpd
version/red hat jboss core services httpd/2.4.37-sp3