CVE-2008-4989 — MEDIUM (5.9)

Q: How severe is CVE-2008-4989?

CVE-2008-4989 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2008-4989?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Fedoraproject Fedora, Canonical Ubuntu Linux, Debian Debian Linux, Opensuse Opensuse.

Vulnerability Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Gnu	Gnutls	< 2.6.1
Fedoraproject	Fedora	8
Canonical	Ubuntu Linux	6.06
Debian	Debian Linux	4.0
Opensuse	Opensuse	>= 10.3, <= 11.1
Suse	Linux Enterprise	10.0
Suse	Linux Enterprise Server	10

Related Weaknesses (CWE)

CWE-295

References

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215Broken LinkPatch
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217Broken Link
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlMailing List
http://secunia.com/advisories/32619Broken LinkVendor Advisory
http://secunia.com/advisories/32681Broken Link
http://secunia.com/advisories/32687Broken Link
http://secunia.com/advisories/32879Broken Link
http://secunia.com/advisories/33501Broken Link
http://secunia.com/advisories/33694Broken Link
http://secunia.com/advisories/35423Broken Link
http://security.gentoo.org/glsa/glsa-200901-10.xmlThird Party Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1Broken Link
http://wiki.rpath.com/Advisories:rPSA-2008-0322Broken Link
http://www.debian.org/security/2009/dsa-1719Mailing List

FAQ

What is CVE-2008-4989?

CVE-2008-4989 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certi...

How severe is CVE-2008-4989?

CVE-2008-4989 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2008-4989?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Fedoraproject Fedora, Canonical Ubuntu Linux, Debian Debian Linux, Opensuse Opensuse.