CVE-2014-8155

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-8155
GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.

4.3 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://rhn.redhat.com/errata/RHSA-2015-1457.html
http://www.securityfocus.com/bid/73317
https://gitlab.com/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c
https://support.f5.com/csp/article/K53330207
Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
History

13 Feb 2023, 00:43

Type Values Removed Values Added
Summary It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired. GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2014-8155', 'name': 'https://access.redhat.com/security/cve/CVE-2014-8155', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1197995', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1197995', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/errata/RHSA-2015:1457', 'name': 'https://access.redhat.com/errata/RHSA-2015:1457', 'tags': [], 'refsource': 'MISC'}

02 Feb 2023, 20:19

Type Values Removed Values Added
Summary GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid. It was found that GnuTLS did not check activation and expiration dates of CA certificates. This could cause an application using GnuTLS to incorrectly accept a certificate as valid when its issuing CA is already expired.
References
  • (MISC) https://access.redhat.com/security/cve/CVE-2014-8155 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1197995 -
  • (MISC) https://access.redhat.com/errata/RHSA-2015:1457 -
Information

Published : 2015-08-14 18:59

Updated : 2023-12-10 11:46

NVD link : CVE-2014-8155

Mitre link : CVE-2014-8155

CVE.ORG link : CVE-2014-8155

JSON object : View

Products Affected

gnu

  • gnutls
CWE
CWE-17

DEPRECATED: Code