CVE-2008-4989 — Improper Certificate Validation in Gnutls

CWE-295 — Improper Certificate Validation6 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.4%

top 39.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gnutls Opensuse Canonical Ubuntu Linux +4 more

Timeline

PublishedNov 13

Latest updateMay 14

Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDgnu/gnutls< 2.6.1

▶NVDopensuse/opensuse10.3 — 11.1

▶NVDsuse/linux_enterprise_server10, 11+1

Also affects: Debian Linux 4.0, Fedora 8, 9, Linux Enterprise 10.0, 11.0, Ubuntu Linux 6.06, 7.10, 8.04, 8.10

Patches

Patch: article.gmane.org ↗Patch: www.securityfocus.com ↗Patch: article.gmane.org ↗

🔴Vulnerability Details

GHSA

GHSA-8ph9-x262-cchw: The _gnutls_x509_verify_certificate function in lib/x509/verify↗2022-05-14

▶

CVEList

CVE-2008-4989: The _gnutls_x509_verify_certificate function in lib/x509/verify↗2008-11-13

▶

📋Vendor Advisories

Ubuntu

GnuTLS vulnerability↗2008-11-26

▶

Red Hat

gnutls: certificate chain verification flaw↗2008-11-10

▶

💬Community

Bugzilla

CVE-2008-4989 gnutls: certificate chain verification flaw↗2008-11-05

▶