CVE-2020-10754

NameCVE-2020-10754
DescriptionIt was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
network-manager (PTS)jessie0.9.10.0-7vulnerable
stretch1.6.2-3+deb9u2vulnerable
buster1.14.6-2+deb10u1vulnerable
bullseye1.30.6-1+deb11u1fixed
bookworm1.42.4-1fixed
sid, trixie1.50.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
network-managersourcewheezy(unfixed)end-of-life
network-managersource(unstable)1.24.2-1unimportant

Notes

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8affcc19b61fc3c516474ba075e61b82030feeb4
Only affects builds enabling ifcfg-rh settings plugin, source-wise only
affected but not the Debian binary builds (and is RedHat/Fedora specific
plugin).

Search for package or bug name: Reporting problems