CVE-2014-8564

CWE-310 CWE-190 — Integer Overflow CWE-122 — Heap-based Buffer Overflow9 documents8 sources

Severity

5.0MEDIUM

EPSS

0.7%

top 28.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ubuntu Linux GNU Gnutls Opensuse Opensuse +4 more

Timeline

PublishedNov 13

Latest updateMay 14

Description

The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages7 packages

▶Debiangnutls28< 3.3.8-4+3

▶NVDgnu/gnutls90 versions+89

▶NVDopensuse/opensuse12.3, 13.1, 13.2+2

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Ubuntu Linux 14.10

Patches

Patch: www.ubuntu.com ↗Patch: www.ubuntu.com ↗

🔴Vulnerability Details

GHSA

GHSA-rp47-7r25-f53m: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc↗2022-05-14

▶

CVEList

CVE-2014-8564: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc↗2014-11-13

▶

OSV

CVE-2014-8564: The _gnutls_ecc_ansi_x963_export function in gnutls_ecc↗2014-11-13

▶

📋Vendor Advisories

Ubuntu

GnuTLS vulnerability↗2014-11-11

▶

Red Hat

gnutls: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)↗2014-11-10

▶

Debian

CVE-2014-8564: gnutls28 - The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3...↗2014

▶

💬Community

Bugzilla

CVE-2014-8564 gnutls: Heap corruption when generating key ID for ECC [fedora-all]↗2014-11-10

▶

Bugzilla

CVE-2014-8564 gnutls: Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)↗2014-11-07

▶