7.5

CVE-2016-7444

EPSS 1.02%
Veröffentlicht 27.09.2016 15:59:12
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle security@debian.org
CVE-Watchlists
Login
Unerledigt
Login

The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 0 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gnu ≫ Gnutls Version <= 3.4.14

Gnu ≫ Gnutls Version3.5.0

Gnu ≫ Gnutls Version3.5.1

Gnu ≫ Gnutls Version3.5.2

Gnu ≫ Gnutls Version3.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.02%	0.765

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00005.html

http://www.securityfocus.com/bid/92893

https://access.redhat.com/errata/RHSA-2017:2292

https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9

Patch

https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html

Third Party Advisory

Mailing List

https://www.gnutls.org/security.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2016-7444

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-7444

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-7444

EUVD