CVE-2020-15720 : What You Need to Know
Learn about CVE-2020-15720, a vulnerability in Dogtag PKI through 10.8.3 that could lead to Person-in-the-Middle attacks. Find out how to mitigate the risk and prevent unauthorized access.
In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class did not enable python-requests certificate validation, potentially exposing systems to Person-in-the-Middle attacks.
Understanding CVE-2020-15720
What is CVE-2020-15720?
CVE-2020-15720 is a vulnerability in Dogtag PKI through version 10.8.3 that could allow for Person-in-the-Middle attacks due to a lack of certificate validation.
The Impact of CVE-2020-15720
The vulnerability could lead to security breaches and unauthorized access to sensitive information in certain non-localhost use cases.
Technical Details of CVE-2020-15720
Vulnerability Description
The pki.client.PKIConnection class in Dogtag PKI did not enable python-requests certificate validation, making it vulnerable to Person-in-the-Middle attacks.
Affected Systems and Versions
- Product: Not applicable
- Vendor: Not applicable
- Versions affected: Not applicable
Exploitation Mechanism
- The verify parameter was hard-coded in all request functions, preventing the override of certificate validation settings.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade Dogtag PKI to version 10.9.0-b1 or later.
- Monitor network traffic for any suspicious activity.
Long-Term Security Practices
- Implement strict certificate validation practices in all network communications.
- Regularly update and patch software to address security vulnerabilities.
- Conduct security audits to identify and mitigate potential risks.
Patching and Updates
- Apply patches and updates provided by Dogtag PKI to fix the vulnerability.