CVE-2009-1417 — Gnutls vulnerability

CWE-3106 documents5 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 31.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gnutls

Timeline

PublishedApr 30

Latest updateMay 2

Description

gnutls-cli in GnuTLS before 2.6.6 does not verify the activation and expiration times of X.509 certificates, which allows remote attackers to successfully present a certificate that is (1) not yet valid or (2) no longer valid, related to lack of time checks in the _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDgnu/gnutls2.6.5+116

Patches

Patch: article.gmane.org ↗Patch: article.gmane.org ↗

🔴Vulnerability Details

GHSA

GHSA-f5mp-3h5g-9fgh: gnutls-cli in GnuTLS before 2↗2022-05-02

▶

CVEList

CVE-2009-1417: gnutls-cli in GnuTLS before 2↗2009-04-30

▶

📋Vendor Advisories

Red Hat

gnutls: certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3]↗2009-04-30

▶

💬Community

Bugzilla

Fix checking of certificate activation/expiration times in gnutls (GNUTLS-SA-2009-3 / CVE-2009-1417)↗2009-06-09

▶

Bugzilla

CVE-2009-1417 gnutls: certificate expiration not checked by gnutls-cli [GNUTLS-SA-2009-3]↗2009-04-28

▶