CVE-2025-49015
BaseFortify
Publication date: 2025-06-18
Last updated on: 2025-07-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| couchbase | .net_sdk | to 3.7.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Couchbase .NET SDK before version 3.7.1 involves improper enabling of hostname verification for TLS certificates. Additionally, the SDK was using IP addresses instead of hostnames due to a configuration option that was incorrectly enabled by default, which can undermine the security of TLS connections.
How can this vulnerability impact me? :
Because hostname verification is not properly enabled and IP addresses are used instead of hostnames, an attacker could potentially perform man-in-the-middle attacks by presenting a TLS certificate that does not match the expected hostname, compromising the confidentiality and integrity of data transmitted between the client and server.
What immediate steps should I take to mitigate this vulnerability?
Update the Couchbase .NET SDK to version 3.7.1 or later to ensure proper hostname verification for TLS certificates and correct the configuration option to use hostnames instead of IP addresses.