Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2008-4989

Published: 13/11/2008 Updated: 09/02/2024
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Gnu

Vulnerability Summary

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS prior to 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle malicious users to insert a spoofed certificate for any Distinguished Name (DN).

Vulnerable Product Search on Vulmon Subscribe to Product

gnu gnutls

fedoraproject fedora 9

fedoraproject fedora 8

canonical ubuntu linux 7.10

canonical ubuntu linux 8.10

canonical ubuntu linux 8.04

canonical ubuntu linux 6.06

debian debian linux 4.0

suse linux enterprise server 11

suse linux enterprise server 10

suse linux enterprise 11.0

suse linux enterprise 10.0

opensuse opensuse

Vendor Advisories

Red Hat: Moderate: gnutls security update
Synopsis Moderate: gnutls security update Type/Severity Security Advisory: Moderate Topic Updated gnutls packages that fix a security issue are now available for RedHat Enterprise Linux 5This update has been rated as having moderate security impact by the RedHat Security Response Team Description ...
Debian Security Advisories: DSA-1719-1 gnutls13 -- design flaw
Martin von Gagern discovered that GNUTLS, an implementation of the TLS/SSL protocol, handles verification of X509 certificate chains incorrectly if a self-signed certificate is configured as a trusted certificate This could cause clients to accept forged server certificates as genuine (CVE-2008-4989) In addition, this update tightens the checks ...
Ubuntu Security Notice: gnutls12, gnutls13, gnutls26 vulnerabilities
Moxie Marlinspike and Dan Kaminsky independently discovered that GnuTLS did not properly handle certificates with NULL characters in the certificate name An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications (CVE-2009-2730) ...
Ubuntu Security Notice: gnutls12, gnutls13, gnutls26 regression
USN-678-1 fixed a vulnerability in GnuTLS The upstream patch introduced a regression when validating certain certificate chains that would report valid certificates as untrusted This update fixes the problem ...
Ubuntu Security Notice: gnutls12, gnutls13, gnutls26 vulnerability
Martin von Gagern discovered that GnuTLS did not properly verify certificate chains when the last certificate in the chain was self-signed If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information (CVE-2008-4989) ...

References

CWE-295http://secunia.com/advisories/32619http://www.gnu.org/software/gnutls/security.htmlhttp://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217http://www.securityfocus.com/bid/32232http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215http://secunia.com/advisories/32879https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.htmlhttp://secunia.com/advisories/32681https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.htmlhttp://secunia.com/advisories/33501http://security.gentoo.org/glsa/glsa-200901-10.xmlhttp://www.ubuntu.com/usn/usn-678-2http://secunia.com/advisories/33694http://www.debian.org/security/2009/dsa-1719http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1http://secunia.com/advisories/35423http://www.vupen.com/english/advisories/2009/1567http://www.securitytracker.com/id?1021167http://www.mandriva.com/security/advisories?name=MDVSA-2008:227http://www.redhat.com/support/errata/RHSA-2008-0982.htmlhttp://secunia.com/advisories/32687http://www.vupen.com/english/advisories/2008/3086http://wiki.rpath.com/Advisories:rPSA-2008-0322https://issues.rpath.com/browse/RPL-2886https://exchange.xforce.ibmcloud.com/vulnerabilities/46482https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650https://usn.ubuntu.com/678-1/http://www.securityfocus.com/archive/1/498431/100/0/threadedhttps://access.redhat.com/errata/RHSA-2008:0982https://www.debian.org/security/./dsa-1719https://nvd.nist.govhttps://usn.ubuntu.com/809-1/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
validationCVE-2024-34413CVE-2024-34089CVE-2024-33408localSQLCVE-2024-0402CVE-2024-33910CVE-2024-31848
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook