Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 27 May 2021 07:18:08 -0700
From: James Dailey <>
Subject: CVE-2020-17514: Apache Fineract: Disabled hostname verification for HTTPS

The fineract project announces release of 1.5.0 which - among other things
- fixes this issue.

*CVE-2020-17514: Disabled Hostname verification for HTTPS  *


*Critical*:  Apache Fineract disables HTTPS hostname verification in
`ProcessorHelper` in the `configureClient` method.

Under typical deployments, a man in the middle attack could be successful.

*Release branch*: The fix is available at

*Acknowledgements*: We would like to thank Simon Gerst at  for reporting this issue, and the *Apache
Security team* for their assistance.
Reported to security team 15 October 2020
Fixed 19 October 2020
Update Released 23 May  2021
Issue public 26 May 2021
Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0, 1.1.0,
1.2.0, 1.3.0, 1.4.0


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.