CVE-2020-24659
published 2020-09-04CVE-2020-24659: An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
An issue was discovered in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | gnutls28 | < gnutls28 3.6.15-1 (bookworm) | gnutls28 3.6.15-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| gnu | gnutls | < 3.6.15 | 3.6.15 |
| msrc | cbl2_gnutls_3.6.14-5_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_gnutls_3.6.14-3_on_cbl_mariner_1.0 | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH