Main Vulnerability Database Vulnerabilities #VU87672

#VU87672 Input validation error in GnuTLS - CVE-2024-28835

Published: March 20, 2024

Vulnerability identifier: #VU87672

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-28835

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GnuTLS

Software vendor:
GnuTLS

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing the cert_list_size parameter in the gnutls_x509_trust_list_verify_crt2() function in certtool. A remote attacker can pass specially crafted PEM encoded certificate chain that contains more than 16 certificates to the certtool and crash it.

Remediation

Install updates from vendor's website.

External links

https://gitlab.com/gnutls/gnutls/-/issues/1527
https://gitlab.com/gnutls/gnutls/-/issues/1525