CVE-2019-3829

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.html
https://access.redhat.com/errata/RHSA-2019:3600
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3829	Issue Tracking Third Party Advisory
https://gitlab.com/gnutls/gnutls/issues/694	Exploit Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3ETBUFBB4G7AITAOUYPGXVMBGVXKUAN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7TJIBRJWGWSH6XIO2MXIQ3W6ES4R6I4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WRSOL66LHP4SD3Y2ECJDOGT4K663ECDU/
https://security.gentoo.org/glsa/201904-14
https://security.netapp.com/advisory/ntap-20190619-0004/
https://usn.ubuntu.com/3999-1/
https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2019-03-27 18:29

Updated : 2024-02-04 20:20

NVD link : CVE-2019-3829

Mitre link : CVE-2019-3829

CVE.ORG link : CVE-2019-3829

JSON object : View

Products Affected

gnu

gnutls

fedoraproject

fedora

CWE

CWE-415

Double Free

CWE-416

Use After Free

{"id": "CVE-2019-3829", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-03-27T18:29:00.693", "references": [{"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.html", "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/errata/RHSA-2019:3600", "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3829", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://gitlab.com/gnutls/gnutls/issues/694", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3ETBUFBB4G7AITAOUYPGXVMBGVXKUAN/", "source": "secalert@redhat.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7TJIBRJWGWSH6XIO2MXIQ3W6ES4R6I4/", "source": "secalert@redhat.com"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WRSOL66LHP4SD3Y2ECJDOGT4K663ECDU/", "source": "secalert@redhat.com"}, {"url": "https://security.gentoo.org/glsa/201904-14", "source": "secalert@redhat.com"}, {"url": "https://security.netapp.com/advisory/ntap-20190619-0004/", "source": "secalert@redhat.com"}, {"url": "https://usn.ubuntu.com/3999-1/", "source": "secalert@redhat.com"}, {"url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}, {"lang": "en", "value": "CWE-416"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. A memory corruption (double free) vulnerability in the certificate verification API. Any client or server application that verifies X.509 certificates with GnuTLS 3.5.8 or later is affected."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en gnutls, desde la versi\u00f3n 3.5.8 hasta antes de la 3.6.7. Hay una vulnerabilidad de corrupci\u00f3n de memoria (doble liberaci\u00f3n o \"double free\") en la API de verificaci\u00f3n de certificados. Cualquier aplicaci\u00f3n cliente o servidor que verifica certificados X.509 con GnuTLS en versiones 3.5.8 o posteriores se ha visto afectada."}], "lastModified": "2023-11-07T03:10:13.203", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "521F9E87-9015-43E4-A036-B7E26B96E06B", "versionEndExcluding": "3.6.7", "versionStartIncluding": "3.5.8"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3FEADDA-2AEE-4F65-9401-971B585664A8"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}