How severe is CVE-2020-15813?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2020-15813?

This is classified as CWE-295, which is a common weakness in software security.

CVE-2020-15813 - HIGH Severity | CVSS 8.1

Vulnerability Description

Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allows use of an external user/group database stored in LDAP. The connection configuration allows the usage of unencrypted, SSL- or TLS-secured connections. Unfortunately, the Graylog client code (in all versions that support LDAP) does not implement proper certificate validation (regardless of whether the "Allow self-signed certificates" option is used). Therefore, any attacker with the ability to intercept network traffic between a Graylog server and an LDAP server is able to redirect traffic to a different LDAP server (unnoticed by the Graylog server due to the lack of certificate validation), effectively bypassing Graylog's authentication mechanism.

Related Vulnerabilities

CVE-2015-2318

HIGH

CVSS:8.1(High)

The TLS stack in Mono before 3.12.1 allows man-in-the-middle attackers to conduct message skipping attacks and consequently impersonate clients by leveraging missing handshake state validation, aka a ...

CWE-2952015

CVE-2015-5263

HIGH

CVSS:8.1(High)

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

CWE-2952015

CVE-2015-8960

HIGH

CVSS:8.1(High)

The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute th...

CWE-2952015

CVE-2016-10931

HIGH

CVSS:8.1(High)

An issue was discovered in the openssl crate before 0.9.0 for Rust. There is an SSL/TLS man-in-the-middle vulnerability because certificate verification is off by default and there is no API for hostn...

CWE-2952016

CVE-2016-1148

HIGH

CVSS:8.1(High)

Akerun - Smart Lock Robot App for iOS before 1.2.4 does not verify SSL certificates.

CWE-2952016

CVE-2016-7075

HIGH

CVSS:8.1(High)

It was found that Kubernetes as used by Openshift Enterprise 3 did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authenticati...

CWE-2952016