CVE-2008-4989

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
gnugnutls
𝑥
< 2.6.1
canonicalubuntu_linux
6.06
canonicalubuntu_linux
7.10
canonicalubuntu_linux
8.04
canonicalubuntu_linux
8.10
debiandebian_linux
4.0
opensuseopensuse
10.3 ≤
𝑥
≤ 11.1
suselinux_enterprise
10.0
suselinux_enterprise
11.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnutls11
karmic
dne
jaunty
dne
intrepid
dne
hardy
dne
gutsy
dne
dapper
ignored
gnutls12
karmic
dne
jaunty
dne
intrepid
dne
hardy
dne
gutsy
dne
dapper
Fixed 1.2.9-2ubuntu1.3
released
gnutls13
karmic
dne
jaunty
dne
intrepid
dne
hardy
Fixed 2.0.4-1ubuntu2.2
released
gutsy
Fixed 1.6.3-1ubuntu0.2
released
dapper
dne
gnutls26
karmic
not-affected
jaunty
not-affected
intrepid
Fixed 2.4.1-1ubuntu0.1
released
hardy
dne
gutsy
dne
dapper
dne
Common Weakness Enumeration
References
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
http://secunia.com/advisories/32619
http://secunia.com/advisories/32681
http://secunia.com/advisories/32687
http://secunia.com/advisories/32879
http://secunia.com/advisories/33501
http://secunia.com/advisories/33694
http://secunia.com/advisories/35423
http://security.gentoo.org/glsa/glsa-200901-10.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
http://wiki.rpath.com/Advisories:rPSA-2008-0322
http://www.debian.org/security/2009/dsa-1719
http://www.gnu.org/software/gnutls/security.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
http://www.redhat.com/support/errata/RHSA-2008-0982.html
http://www.securityfocus.com/archive/1/498431/100/0/threaded
http://www.securityfocus.com/bid/32232
http://www.securitytracker.com/id?1021167
http://www.ubuntu.com/usn/usn-678-2
http://www.vupen.com/english/advisories/2008/3086
http://www.vupen.com/english/advisories/2009/1567
https://exchange.xforce.ibmcloud.com/vulnerabilities/46482
https://issues.rpath.com/browse/RPL-2886
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650
https://usn.ubuntu.com/678-1/
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
http://secunia.com/advisories/32619
http://secunia.com/advisories/32681
http://secunia.com/advisories/32687
http://secunia.com/advisories/32879
http://secunia.com/advisories/33501
http://secunia.com/advisories/33694
http://secunia.com/advisories/35423
http://security.gentoo.org/glsa/glsa-200901-10.xml
http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1
http://wiki.rpath.com/Advisories:rPSA-2008-0322
http://www.debian.org/security/2009/dsa-1719
http://www.gnu.org/software/gnutls/security.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:227
http://www.redhat.com/support/errata/RHSA-2008-0982.html
http://www.securityfocus.com/archive/1/498431/100/0/threaded
http://www.securityfocus.com/bid/32232
http://www.securitytracker.com/id?1021167
http://www.ubuntu.com/usn/usn-678-2
http://www.vupen.com/english/advisories/2008/3086
http://www.vupen.com/english/advisories/2009/1567
https://exchange.xforce.ibmcloud.com/vulnerabilities/46482
https://issues.rpath.com/browse/RPL-2886
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650
https://usn.ubuntu.com/678-1/
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html
https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html