CVE-2020-26234
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-26234
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26234.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-26234
- Aliases
- Related
- Published
- 2020-12-08T23:15:12.060Z
- Modified
- 2025-11-20T11:23:06.981947Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.
- References
Affected packages
Git / github.com/opencast/opencast
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opencast/opencast
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.4.0
1.4.1
1.4.2
1.4.2-rc2
1.4.3
1.4.4
1.4.4-rc1
1.5.0
1.5.0-rc1
1.5.0-rc2
1.5.0-rc3
1.5.0-rc4
1.5.0-rc5
1.5.0-rc6
1.5.0-rc7
1.5.1
1.6.0
1.6.0-RC1
1.6.0-beta1
1.6.0-beta2
1.6.0-beta3
1.6.0-beta4
1.6.1-RC1
2.*
2.0.0-beta1
2.0.0-beta2
Database specific
vanir_signatures
[
{
"digest": {
"function_hash": "327109432411336250414956290650978932423",
"length": 103.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-01413629",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "getAcceptedIssuers"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "263249292840919459147942955368873016510",
"length": 760.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-0428f3dd",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "makeHttpClient"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "203933406073257927679797377721776597590",
"length": 150.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-05a9060c",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "verify"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "146709177834572249933651891866948945572",
"length": 156.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-06634641",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "checkServerTrusted"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "3686685004918688748946987975203957045",
"length": 139.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-5e846b9d",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "verify"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "151377040256237848782078696221456892382",
"length": 569.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-788fafcb",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "createTrustManager"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "306192249550679346978415369862643170783",
"length": 151.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-7c9af470",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "verify"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "131537973306665995801838054688728276094",
"length": 136.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-814d750c",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "verify"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "203404795811992004019295423138964071951",
"length": 156.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-a40cd9a8",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "checkClientTrusted"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"line_hashes": [
"31093421165358474951537821415687433790",
"231066432682026796901888371607128612214",
"143657561559455396356666233750490401350",
"162690715822264526679288503882295015530",
"238784875431215025401623971803705944846",
"202272141043200503123483084559783106482",
"330105756778132893490589565650081697120",
"251252427217638427500594294352832499924",
"209157825380076793131082761291507213915",
"252317470776220132386583309731196625552",
"335301010581398448168201920453173774681",
"149424126489911931382587542659071309353",
"202874681446015085960842031960091470158",
"103591587911696741803079467994422157009",
"283274863308569377737282846037852469405",
"111987789603775853199882659322380376813",
"111462034920323071339227020656741472050",
"36723657838570367548782814226155092418",
"205760586296718063999300808853131711203",
"32658844959819684605219275137140783835",
"210480278624491971631169170726649495288",
"229369522811818289255979710865249023607",
"64964719968655906644498521377382895879",
"97301743485186266686760664630672310543",
"195625780064675215464873873340356386924",
"43675468380626260830367439290401058290",
"226628001500357358432864796091750391730",
"168978886872098207388523629717182878161",
"132919974779867272699764934153244955688",
"169359362591293366236779884205461214507",
"318862800665701022917687265208711995042",
"7562482601066629544332356939751056912",
"324598382637238194754886755290484931932",
"153847898653902695018837788759782437403",
"313668086847069948474097501923345958821",
"101904903894942924336833082594256195161",
"44821424633435535226404588296944952492",
"26520063065538584526416336338745168337",
"283059087938726120155551645265257418438",
"173405335480154247242165484205021746318",
"186619980323896583185374754314707200393",
"18048947128727635733459065113830173654",
"71826140353801077166303398217654567568",
"188466216754664841278380584849890663270",
"48434152954165415050358410996072630603",
"152276983859836113867121283856816121061",
"185523770410157532180933346808527408809",
"106217031653505190517978158265560791547",
"60944060518504969183123242674408108361",
"285448724220856325031968110223700874334",
"136432701260670323598079475854595556078",
"281753797992774887234092635197776151201",
"89596947515452281694142954152312429838",
"250398715432883654325633180466407642098",
"204645968045055214800540765852593045656",
"110462997206066787355060468485462681580",
"59747709575012961693722411884355551710",
"98303652869088692593626552359910140867",
"206448604114981791819444893599032429678",
"161210861206806463035231052918096578502",
"324126413718830382421501434804699130760",
"186850783165638853699245710005323074857",
"137120509755813903416127949676660822567",
"48328643926193365479381158969727867296",
"231567201497309472132968699611099046324",
"315714098840406946849889926733344418707",
"272797142042999373658993920508374400844",
"14789090626635011374114807195966297367",
"333726949397294573833859784190041405059",
"240204260903084712288426799000378500760",
"99446577366915969388665616877521578144",
"18727556555078773146720730440697769075",
"279142594300953703434293080341555779808",
"101741915926430256838572910237092999068",
"94100558916587806029375662081605276514",
"141701760980266698858380202368893780791",
"297010509492170874454927476913146779469",
"261027282966930838854090170945295692760",
"75021632562911340221762855132934090932"
],
"threshold": 0.9
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-c5ac9d2c",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
},
{
"digest": {
"function_hash": "258328183412079227782352374265129915640",
"length": 676.0
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2020-26234-dab6a382",
"target": {
"file": "modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java",
"function": "createHostNameVerifier"
},
"source": "https://github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfc"
}
]