CVE-2020-12823 — Classic Buffer Overflow in Openconnect

CWE-120 — Classic Buffer Overflow6 documents6 sources

Severity

9.8CRITICALNVD

EPSS

1.9%

top 16.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infradead Openconnect Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedMay 12

Latest updateMay 24

Description

OpenConnect 8.09 has a buffer overflow, causing a denial of service (application crash) or possibly unspecified other impact, via crafted certificate data to get_cert_name in gnutls.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Debianinfradead/openconnect< 8.10-1+3

▶NVDinfradead/openconnect8.09

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 8.0, Fedora 30, 31, 32

Patches

Patch: gitlab.com ↗Patch: gitlab.com ↗

🔴Vulnerability Details

GHSA

GHSA-f93c-rq5c-gvpf: OpenConnect 8↗2022-05-24

▶

OSV

CVE-2020-12823: OpenConnect 8↗2020-05-12

▶

CVEList

CVE-2020-12823: OpenConnect 8↗2020-05-12

▶

📋Vendor Advisories

Debian

CVE-2020-12823: openconnect - OpenConnect 8.09 has a buffer overflow, causing a denial of service (application...↗2020

▶

💬Community

Bugzilla

CVE-2020-12823 openconnect: buffer overflow via crafted certificate data to get_cert_name function in gnutls.c↗2020-05-22

▶