CVE-2008-2420 — Stunnel vulnerability

CWE-2647 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.5%

top 34.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Stunnel

Timeline

PublishedMay 23

Latest updateMay 1

Description

The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDstunnel/stunnel54 versions+53

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-7266-wh6x-6jjw: The OCSP functionality in stunnel before 4↗2022-05-01

▶

CVEList

CVE-2008-2420: The OCSP functionality in stunnel before 4↗2008-05-23

▶

OSV

CVE-2008-2420: The OCSP functionality in stunnel before 4↗2008-05-23

▶

📋Vendor Advisories

Red Hat

stunnel: incorrect CRL verification using OCSP protocol↗2008-05-19

▶

Debian

CVE-2008-2420: stunnel4 - The OCSP functionality in stunnel before 4.24 does not properly search certifica...↗2008

▶

💬Community

Bugzilla

CVE-2008-2420 stunnel: incorrect CRL verification using OCSP protocol↗2008-05-25

▶