Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

0

CVE-2008-4989

Disclosure Date: November 13, 2008 •

CVE-2008-4989 CVSS v3 Base Score: 5.9

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

5.9 Medium

Impact Score:

3.6

Exploitability Score:

2.2

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

None

Vendors

Products

References

Canonical

CVE-2008-4989 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4989)

BID-32232 (http://www.securityfocus.com/bid/32232)

Advisory

http://www.mandriva.com/security/advisories?name=MDVSA-2008:227

USN-678-2 (http://www.ubuntu.com/usn/usn-678-2)

SECUNIA-33694 (http://secunia.com/advisories/33694)

GLSA-200901-10 (http://security.gentoo.org/glsa/glsa-200901-10.xml)

http://www.redhat.com/support/errata/RHSA-2008-0982.html

USN-678-1 (https://usn.ubuntu.com/678-1)

20081117 rPSA-2008-0322-1 gnutls (http://www.securityfocus.com/archive/1/498431/100/0/threaded)

[gnutls-devel] 20081110 GnuTLS 2.6.1 - Security release [GNUTLS-SA-2008-3] (http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215)

[gnutls-devel] 20081110 Analysis of vulnerability GNUTLS-SA-2008-3 CVE-2008-4989 (http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217)

http://wiki.rpath.com/Advisories:rPSA-2008-0322

SECUNIA-32687 (http://secunia.com/advisories/32687)

FEDORA-2008-9600 (https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html)

http://www.gnu.org/software/gnutls/security.html

https://issues.rpath.com/browse/RPL-2886

SECUNIA-35423 (http://secunia.com/advisories/35423)

http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html

SECTRACK-1021167 (http://www.securitytracker.com/id?1021167)

SUNALERT-260528 (http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1)

SECUNIA-33501 (http://secunia.com/advisories/33501)

SECUNIA-32879 (http://secunia.com/advisories/32879)

ADV-2009-1567 (http://www.vupen.com/english/advisories/2009/1567)

SECUNIA-32619 (http://secunia.com/advisories/32619)

ADV-2008-3086 (http://www.vupen.com/english/advisories/2008/3086)

SECUNIA-32681 (http://secunia.com/advisories/32681)

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650

DSA-1719 (http://www.debian.org/security/2009/dsa-1719)

FEDORA-2008-9530 (https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html)

XF-gnutls-x509-name-spoofing(46482) (https://exchange.xforce.ibmcloud.com/vulnerabilities/46482)

Rapid7

Technical Analysis