CVE-2020-10754

NameCVE-2020-10754
DescriptionIt was found that nmcli, a command line interface to NetworkManager did not honour 802-1x.ca-path and 802-1x.phase2-ca-path settings, when creating a new profile. When a user connects to a network using this profile, the authentication does not happen and the connection is made insecurely.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
network-manager (PTS)stretch1.6.2-3+deb9u2vulnerable
buster1.14.6-2+deb10u1vulnerable
bullseye, sid1.27.91-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
network-managersource(unstable)1.24.2-1unimportant

Notes

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/8affcc19b61fc3c516474ba075e61b82030feeb4
Only affects builds enabling ifcfg-rh settings plugin, source-wise only
affected but not the Debian binary builds (and is RedHat/Fedora specific
plugin).
Search for package or bug name: Reporting problems