CVSS: 5.9EPSS: 4%CPEs: 5EXPL: 0CVE-2015-8313
https://notcve.org/view.php?id=CVE-2015-8313
GnuTLS incorrectly validates the first byte of padding in CBC modes GnuTLS comprueba incorrectamente el primer byte de relleno en los modos CBC • http://www.debian.org/security/2015/dsa-3408 http://www.securityfocus.com/archive/1/537012/100/0/threaded http://www.securityfocus.com/bid/78327 https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8313 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-8313 https://security-tracker.debian.org/tracker/CVE-2015-8313 • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 3%CPEs: 2EXPL: 0CVE-2015-3308
https://notcve.org/view.php?id=CVE-2015-3308
Double free vulnerability in lib/x509/x509_ext.c in GnuTLS before 3.3.14 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted CRL distribution point. Vulnerabilidad de liberación doble en lib/x509/x509_ext.c en GnuTLS en versiones anteriores a 3.3.14, permite a atacantes remotos causar una denegación de servicio o posiblemente tener otro impacto no especificado a través de un punto de distribución CRL manipulado. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155101.html http://www.gnutls.org/security.html#GNUTLS-SA-2015-4 http://www.openwall.com/lists/oss-security/2015/04/15/6 http://www.openwall.com/lists/oss-security/2015/04/16/6 http://www.securityfocus.com/bid/74188 http://www.securitytracker.com/id/1033774 http://www.ubuntu.com/usn/USN-2727-1 https://gitlab.com/gnutls/gnutls/commit/053ae65403216acdb0a4e78b25ad66ee9f444f02 https://gitlab.com/gnutls/gnutls/co •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2014-8155 – gnutls: gnutls does not perform date/time checks on CA certificates
https://notcve.org/view.php?id=CVE-2014-8155
GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. Vulnerabilidad en GnuTLS en versiones anteriores a 2.9.10, no verifica las fechas de activación y expiración de certificados CA, lo que permite a atacantes man-in-the-middle suplantar servidores a través de un certificado expedido por un certificado CA que (1) aún no es válido o (2) ya no es válido. It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired. • http://rhn.redhat.com/errata/RHSA-2015-1457.html http://www.securityfocus.com/bid/73317 https://gitlab.com/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c https://support.f5.com/csp/article/K53330207 https://access.redhat.com/security/cve/CVE-2014-8155 https://bugzilla.redhat.com/show_bug.cgi?id=1197995 • CWE-17: DEPRECATED: Code CWE-325: Missing Cryptographic Step •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-0282 – gnutls: RSA PKCS#1 signature verification forgery
https://notcve.org/view.php?id=CVE-2015-0282
GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors. GnuTLS anterior a 3.1.0 no verifica que el algoritmo de firmas RSA PKCS #1 coincide con el algoritmo de firmas en el certificado, lo que permite a atacantes remotos realizar ataques de degradación a través de vectores no especificados. It was found that GnuTLS did not verify whether a hashing algorithm listed in a signature matched the hashing algorithm listed in the certificate. An attacker could create a certificate that used a different hashing algorithm than it claimed, possibly causing GnuTLS to use an insecure, disallowed hashing algorithm during certificate verification. • http://rhn.redhat.com/errata/RHSA-2015-1457.html http://www.debian.org/security/2015/dsa-3191 http://www.gnutls.org/security.html http://www.securityfocus.com/bid/73119 http://www.securitytracker.com/id/1032148 https://access.redhat.com/security/cve/CVE-2015-0282 https://bugzilla.redhat.com/show_bug.cgi?id=1194371 • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2015-0294 – gnutls: certificate algorithm consistency checking issue
https://notcve.org/view.php?id=CVE-2015-0294
GnuTLS before 3.3.13 does not validate that the signature algorithms match when importing a certificate. GnuTLS versiones anteriores a 3.3.13, no comprueba que los algoritmos de firma coincidan cuando se importa un certificado. It was discovered that GnuTLS did not check if all sections of X.509 certificates indicate the same signature algorithm. This flaw, in combination with a different flaw, could possibly lead to a bypass of the certificate signature check. • http://www.debian.org/security/2015/dsa-3191 https://bugzilla.redhat.com/show_bug.cgi?id=1196323 https://gitlab.com/gnutls/gnutls/commit/6e76e9b9fa845b76b0b9a45f05f4b54a052578ff https://access.redhat.com/security/cve/CVE-2015-0294 • CWE-295: Improper Certificate Validation •