4.3
CVSSv2

CVE-2020-6750

Published: 09/01/2020 Updated: 27/01/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

GSocketClient in GNOME GLib up to and including 2.62.4 may occasionally connect directly to a target address instead of connecting via a proxy server when configured to do so, because the proxy_addr field is mishandled. This bug is timing-dependent and may occur only sporadically depending on network delays. The greatest security relevance is in use cases where a proxy is used to help with privacy/anonymity, even though there is no technical barrier to a direct connection. NOTE: versions prior to 2.60 are unaffected.

Vulnerability Trend

Affected Products

Vendor Product Versions
GnomeGlib2.60.0, 2.60.1, 2.60.2, 2.60.3, 2.60.4, 2.60.5, 2.60.6, 2.60.7, 2.61.0, 2.61.1, 2.61.2, 2.61.3, 2.62.0, 2.62.1, 2.62.2

Vendor Advisories

Debian Bug report logs - #948554 glib20: CVE-2020-6750: Socks5 Proxy: Proxy on a SocketClient set via set_proxy_resolver ignored Package: src:glib20; Maintainer for src:glib20 is Debian GNOME Maintainers <pkg-gnome-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri ...