CVE-2008-4989

Published: Nov 13, 2008Modified: Apr 23, 2026

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

The _gnutls_x509_verify_certificate function in lib/x509/verify.c in libgnutls in GnuTLS before 2.6.1 trusts certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate, which allows man-in-the-middle attackers to insert a spoofed certificate for any Distinguished Name (DN).

Affected (13)

Products: Gnu: Gnutls · Fedoraproject: Fedora · Canonical: Ubuntu Linux · +3 more

Show all products

Gnu: Gnutls · Fedoraproject: Fedora · Canonical: Ubuntu Linux · Debian: Debian Linux · Opensuse: Opensuse · Suse: Linux Enterprise, Linux Enterprise Server

1 product

1 product

1 product

1 product

1 product

2 products

Linux Enterprise Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gnu Gnutls	Before 2.6.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 8
Fedoraproject Fedora	Version 9

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 6.06
Canonical Ubuntu Linux	Version 7.10
Canonical Ubuntu Linux	Version 8.04
Canonical Ubuntu Linux	Version 8.10

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 4.0

Configuration E

5 vulnerable

Vulnerable Software	Affected Versions
Opensuse Opensuse	From 10.3 to 11.1
Suse Linux Enterprise	Version 10.0
Suse Linux Enterprise	Version 11.0
Suse Linux Enterprise Server	Version 10
Suse Linux Enterprise Server	Version 11

Related CWEs

CWE-295

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (60)

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215

Source: cve@mitre.org

Broken LinkPatch

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3217

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html

Source: cve@mitre.org

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html

Source: cve@mitre.org

Mailing List

http://secunia.com/advisories/32619

Source: cve@mitre.org

Broken LinkVendor Advisory

http://secunia.com/advisories/32681

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/32687

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/32879

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/33501

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/33694

Source: cve@mitre.org

Broken Link

http://secunia.com/advisories/35423

Source: cve@mitre.org

Broken Link

http://security.gentoo.org/glsa/glsa-200901-10.xml

Source: cve@mitre.org

Third Party Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-26-260528-1

Source: cve@mitre.org

Broken Link

http://wiki.rpath.com/Advisories:rPSA-2008-0322

Source: cve@mitre.org

Broken Link

http://www.debian.org/security/2009/dsa-1719

Source: cve@mitre.org

Mailing List

http://www.gnu.org/software/gnutls/security.html

Source: cve@mitre.org

Product

http://www.mandriva.com/security/advisories?name=MDVSA-2008:227

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2008-0982.html

Source: cve@mitre.org

Broken Link

http://www.securityfocus.com/archive/1/498431/100/0/threaded

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/32232

Source: cve@mitre.org

Broken LinkPatchThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id?1021167

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.ubuntu.com/usn/usn-678-2

Source: cve@mitre.org

Third Party Advisory

http://www.vupen.com/english/advisories/2008/3086

Source: cve@mitre.org

Broken Link

http://www.vupen.com/english/advisories/2009/1567

Source: cve@mitre.org

Broken Link

https://exchange.xforce.ibmcloud.com/vulnerabilities/46482

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://issues.rpath.com/browse/RPL-2886

Source: cve@mitre.org

Broken Link

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11650

Source: cve@mitre.org

Broken Link

https://usn.ubuntu.com/678-1/

Source: cve@mitre.org

Broken Link

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00222.html

Source: cve@mitre.org

Mailing List

https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00293.html

Source: cve@mitre.org

Mailing List

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3215