CVE-2008-4989

Severity

43%

Complexity

86%

Confidentiality

48%

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N).

Overview

First reported 16 years ago

2008-11-13 01:00:00

Last updated 6 years ago

2018-10-11 20:53:00

Affected Software

GNU GnuTLS 1.0.16

1.0.16

GNU GnuTLS 1.0.17

1.0.17

GNU GnuTLS 1.0.18

1.0.18

GNU GnuTLS 1.0.19

1.0.19

GNU GnuTLS 1.0.20

1.0.20

GNU GnuTLS 1.0.21

1.0.21

GNU GnuTLS 1.0.22

1.0.22

GNU GnuTLS 1.0.23

1.0.23

GNU GnuTLS 1.0.24

1.0.24

GNU GnuTLS 1.0.25

1.0.25

GNU GnuTLS 1.1.13

1.1.13

GNU GnuTLS 1.1.14

1.1.14

GNU GnuTLS 1.1.15

1.1.15

GNU GnuTLS 1.1.16

1.1.16

GNU GnuTLS 1.1.17

1.1.17

GNU GnuTLS 1.1.18

1.1.18

GNU GnuTLS 1.1.19

1.1.19

GNU GnuTLS 1.1.20

1.1.20

GNU GnuTLS 1.1.21

1.1.21

GNU GnuTLS 1.1.22

1.1.22

GNU GnuTLS 1.1.23

1.1.23

GNU GnuTLS 1.2.0

1.2.0

GNU GnuTLS 1.2.1

1.2.1

GNU GnuTLS 1.2.2

1.2.2

GNU GnuTLS 1.2.3

1.2.3

GNU GnuTLS 1.2.4

1.2.4

GNU GnuTLS 1.2.5

1.2.5

GNU GnuTLS 1.2.6

1.2.6

GNU GnuTLS 1.2.7

1.2.7

GNU GnuTLS 1.2.8

1.2.8

GNU GnuTLS 1.2.8.1a1

1.2.8.1a1

GNU GnuTLS 1.2.9

1.2.9

GNU GnuTLS 1.2.10

1.2.10

GNU GnuTLS 1.2.11

1.2.11

GNU GnuTLS 1.3.0

1.3.0

GNU GnuTLS 1.3.1

1.3.1

GNU GnuTLS 1.3.2

1.3.2

GNU GnuTLS 1.3.3

1.3.3

GNU GnuTLS 1.3.4

1.3.4

GNU GnuTLS 1.3.5

1.3.5

GNU GnuTLS 1.4.0

1.4.0

GNU GnuTLS 1.4.1

1.4.1

GNU GnuTLS 1.4.2

1.4.2

GNU GnuTLS 1.4.3

1.4.3

GNU GnuTLS 1.4.4

1.4.4

GNU GnuTLS 1.4.5

1.4.5

GNU GnuTLS 1.5.0

1.5.0

GNU GnuTLS 1.5.1

1.5.1

GNU GnuTLS 1.5.2

1.5.2

GNU GnuTLS 1.5.3

1.5.3

GNU GnuTLS 1.5.4

1.5.4

GNU GnuTLS 1.5.5

1.5.5

GNU GnuTLS 1.6.0

1.6.0

GNU GnuTLS 1.6.1

1.6.1

GNU GnuTLS 1.6.2

1.6.2

GNU GnuTLS 1.6.3

1.6.3

GNU GnuTLS 1.7.0

1.7.0

GNU GnuTLS 1.7.1

1.7.1

GNU GnuTLS 1.7.2

1.7.2

GNU GnuTLS 1.7.3

1.7.3

GNU GnuTLS 1.7.4

1.7.4

GNU GnuTLS 1.7.5

1.7.5

GNU GnuTLS 1.7.6

1.7.6

GNU GnuTLS 1.7.7

1.7.7

GNU GnuTLS 1.7.8

1.7.8

GNU GnuTLS 1.7.9

1.7.9

GNU GnuTLS 1.7.10

1.7.10

GNU GnuTLS 1.7.11

1.7.11

GNU GnuTLS 1.7.12

1.7.12

GNU GnuTLS 1.7.13

1.7.13

GNU GnuTLS 1.7.14

1.7.14

GNU GnuTLS 1.7.15

1.7.15

GNU GnuTLS 1.7.16

1.7.16

GNU GnuTLS 1.7.17

1.7.17

GNU GnuTLS 1.7.18

1.7.18

GNU GnuTLS 1.7.19

1.7.19

GNU GnuTLS 2.0.0

2.0.0

GNU GnuTLS 2.0.1

2.0.1

GNU GnuTLS 2.0.2

2.0.2

GNU GnuTLS 2.0.3

2.0.3

GNU GnuTLS 2.0.4

2.0.4

GNU GnuTLS 2.1.0

2.1.0

GNU GnuTLS 2.1.1

2.1.1

GNU GnuTLS 2.1.2

2.1.2

GNU GnuTLS 2.1.3

2.1.3

GNU GnuTLS 2.1.4

2.1.4

GNU GnuTLS 2.1.5

2.1.5

GNU GnuTLS 2.1.6

2.1.6

GNU GnuTLS 2.1.7

2.1.7

GNU GnuTLS 2.1.8

2.1.8

GNU GnuTLS 2.2.0

2.2.0

GNU GnuTLS 2.2.1

2.2.1

GNU GnuTLS 2.2.2

2.2.2

GNU GnuTLS 2.2.3

2.2.3

GNU GnuTLS 2.2.4

2.2.4

GNU GnuTLS 2.2.5

2.2.5

GNU GnuTLS 2.3.0

2.3.0

GNU GnuTLS 2.3.1

2.3.1

GNU GnuTLS 2.3.2

2.3.2

GNU GnuTLS 2.3.3

2.3.3

GNU GnuTLS 2.3.4

2.3.4

GNU GnuTLS 2.3.5

2.3.5

GNU GnuTLS 2.3.6

2.3.6

GNU GnuTLS 2.3.7

2.3.7

GNU GnuTLS 2.3.8

2.3.8

GNU GnuTLS 2.3.9

2.3.9

GNU GnuTLS 2.3.10

2.3.10

GNU GnuTLS 2.3.11

2.3.11

GNU GnuTLS 2.4.0

2.4.0

GNU GnuTLS 2.4.1

2.4.1

GNU GnuTLS 2.4.2

2.4.2

GNU GnuTLS

References

[gnutls-devel] 20081110 GnuTLS 2.6.1 - Security release [GNUTLS-SA-2008-3]

Patch

[gnutls-devel] 20081110 Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989

SUSE-SR:2008:027

SUSE-SR:2009:009

32619

Vendor Advisory

32681

32687

32879

33501

33694

35423

GLSA-200901-10

260528

http://wiki.rpath.com/Advisories:rPSA-2008-0322

DSA-1719

http://www.gnu.org/software/gnutls/security.html

MDVSA-2008:227

RHSA-2008:0982

20081117 rPSA-2008-0322-1 gnutls

32232

Patch

1021167

USN-678-2

ADV-2008-3086

ADV-2009-1567

gnutls-x509-name-spoofing(46482)

https://issues.rpath.com/browse/RPL-2886

oval:org.mitre.oval:def:11650

USN-678-1

FEDORA-2008-9530

FEDORA-2008-9600

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.