CVE-2019-3836 — MEDIUM (5.9)

Q: What is CVE-2019-3836?

CVE-2019-3836 is a vulnerability with a CVSS score of 5.9 (MEDIUM). It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.

Q: How severe is CVE-2019-3836?

CVE-2019-3836 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-3836?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Fedoraproject Fedora, Opensuse Leap.

Vulnerability Description

It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gnu	Gnutls	>= 3.6.3, < 3.6.7
Fedoraproject	Fedora	28
Opensuse	Leap	15.0

Related Weaknesses (CWE)

CWE-456 CWE-824

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3836Issue TrackingThird Party Advisory
https://gitlab.com/gnutls/gnutls/issues/704ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/201904-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20190502-0005/Third Party Advisory
https://usn.ubuntu.com/3999-1/
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2019:3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3836Issue TrackingThird Party Advisory
https://gitlab.com/gnutls/gnutls/issues/704ExploitIssue TrackingThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/201904-14Third Party Advisory
https://security.netapp.com/advisory/ntap-20190502-0005/Third Party Advisory

FAQ

What is CVE-2019-3836?

CVE-2019-3836 is a vulnerability with a CVSS score of 5.9 (MEDIUM). It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.

How severe is CVE-2019-3836?

CVE-2019-3836 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-3836?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Fedoraproject Fedora, Opensuse Leap.