Vulnerability CVE-2015-0282

Vulnerability Name:

CVE-2015-0282 (CCN-102423)

Assigned:

2014-11-18

Published:

2015-03-11

Updated:

2018-01-05

Summary:

GnuTLS before 3.1.0 does not verify that the RSA PKCS #1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N)
3.0 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-310
CWE-295

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2015-0282

Source: REDHAT
Type: UNKNOWN
RHSA-2015:1457

Source: DEBIAN
Type: UNKNOWN
DSA-3191

Source: CCN
Type: GNUTLS-SA-2015-1
Signature forgery

Source: CONFIRM
Type: Vendor Advisory
http://www.gnutls.org/security.html

Source: BID
Type: UNKNOWN
73119

Source: CCN
Type: BID-73119
GnuTLS CVE-2015-0282 Certificate Validation Security Bypass Vulnerability

Source: SECTRACK
Type: UNKNOWN
1032148

Source: XF
Type: UNKNOWN
gnutls-cve20150282-sec-bypass(102423)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-0282

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnu:gnutls:*:*:*:*:*:*:*:* (Version <= 3.0.9)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnu:gnutls:3.0.9:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20150282	V	CVE-2015-0282	2022-05-20
oval:org.opensuse.security:def:33063	P	Security update for xorg-x11-server (Important)	2021-12-14
oval:org.opensuse.security:def:32215	P	Security update for qemu (Important)	2021-11-10
oval:org.opensuse.security:def:31691	P	Security update for apache2 (Important)	2021-10-06
oval:org.opensuse.security:def:26114	P	Security update for openexr (Important)	2021-09-02
oval:org.opensuse.security:def:26076	P	Security update for webkit2gtk3 (Important)	2021-06-17
oval:org.opensuse.security:def:42546	P	gnutls-2.4.1-24.39.55.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36139	P	gnutls-2.4.1-24.39.55.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:36451	P	libgnutls-devel-2.4.1-24.39.55.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:31617	P	Security update for samba (Important)	2021-05-04
oval:org.opensuse.security:def:31606	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:31605	P	Security update for xorg-x11-server (Important)	2021-04-14
oval:org.opensuse.security:def:32059	P	Security update for the Linux Kernel (Live Patch 31 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:33102	P	Security update for openssl (Moderate)	2021-03-24
oval:org.opensuse.security:def:32271	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:26204	P	Security update for freeradius-server (Low)	2021-03-04
oval:org.opensuse.security:def:26030	P	Security update for php72 (Moderate)	2021-01-14
oval:org.opensuse.security:def:25973	P	Security update for the Linux Kernel (Important)	2020-12-09
oval:org.opensuse.security:def:31823	P	Security update for bash (Moderate)	2020-12-01
oval:org.opensuse.security:def:27449	P	libgnutls-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26012	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:26464	P	Security update for enigmail (Moderate)	2020-12-01
oval:org.opensuse.security:def:25688	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:32320	P	Security update for rzsz (Moderate)	2020-12-01
oval:org.opensuse.security:def:26577	P	kvm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27414	P	gnucash on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26001	P	Security update for openexr (Moderate)	2020-12-01
oval:org.opensuse.security:def:26420	P	Security update for phpMyAdmin (Moderate)	2020-12-01
oval:org.opensuse.security:def:26426	P	Security update for singularity (Moderate)	2020-12-01
oval:org.opensuse.security:def:26776	P	libzip1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26000	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:26406	P	Security update for mbedtls (Moderate)	2020-12-01
oval:org.opensuse.security:def:26342	P	Security update for openjpeg2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:25892	P	Security update for gstreamer-0_10-plugins-good (Important)	2020-12-01
oval:org.opensuse.security:def:26732	P	kvm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26367	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:26285	P	Security update for the Linux Kernel (Critical)	2020-12-01
oval:org.opensuse.security:def:25764	P	Security update for webkitgtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:32425	P	Security update for wpa_supplicant (Moderate)	2020-12-01
oval:org.opensuse.security:def:26718	P	hplip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26318	P	Security update for MozillaThunderbird (Moderate)	2020-12-01
oval:org.opensuse.security:def:31972	P	Security update for jakarta-commons-fileupload (Important)	2020-12-01
oval:org.opensuse.security:def:27137	P	gnutls on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25700	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:32381	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:26679	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26265	P	Security update for guile (Low)	2020-12-01
oval:org.opensuse.security:def:31915	P	Security update for gd (Moderate)	2020-12-01
oval:org.opensuse.security:def:27102	P	cups on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:25689	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:32359	P	Security update for strongswan (Moderate)	2020-12-01
oval:org.opensuse.security:def:26630	P	perl-spamassassin on GA media (Moderate)	2020-12-01
oval:org.cisecurity:def:261	P	DSA-3191-1 -- gnutls26 -- security update	2016-02-08
oval:com.redhat.rhsa:def:20151457	P	RHSA-2015:1457: gnutls security and bug fix update (Moderate)	2015-07-22
oval:com.ubuntu.precise:def:20150282000	V	CVE-2015-0282 on Ubuntu 12.04 LTS (precise) - medium.	2015-03-24
oval:com.ubuntu.trusty:def:20150282000	V	CVE-2015-0282 on Ubuntu 14.04 LTS (trusty) - medium.	2015-03-24
oval:com.ubuntu.xenial:def:201502820000000	V	CVE-2015-0282 on Ubuntu 16.04 LTS (xenial) - medium.	2015-03-24
oval:com.ubuntu.xenial:def:20150282000	V	CVE-2015-0282 on Ubuntu 16.04 LTS (xenial) - medium.	2015-03-24

BACK