CVE-2010-0731

CWE-119 — Buffer Overflow5 documents5 sources

Severity

7.5HIGH

EPSS

1.6%

top 18.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Gnutls

Timeline

PublishedMar 26

Latest updateMay 2

Description

The gnutls_x509_crt_get_serial function in the GnuTLS library before 1.2.1, when running on big-endian, 64-bit platforms, calls the asn1_read_value with a pointer to the wrong data type and the wrong length value, which allows remote attackers to bypass the certificate revocation list (CRL) check and cause a stack-based buffer overflow via a crafted X.509 certificate, related to extraction of a serial number.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDgnu/gnutls1.2.0+21

Patches

Patch: www.vupen.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-g8xp-5hv7-77f4: The gnutls_x509_crt_get_serial function in the GnuTLS library before 1↗2022-05-02

▶

CVEList

CVE-2010-0731: The gnutls_x509_crt_get_serial function in the GnuTLS library before 1↗2010-03-26

▶

📋Vendor Advisories

Red Hat

gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]↗2010-03-25

▶

💬Community

Bugzilla

CVE-2010-0731 gnutls: gnutls_x509_crt_get_serial incorrect serial decoding from ASN1 (BE64) [GNUTLS-SA-2010-1]↗2010-03-12

▶