Vulnerability Details : CVE-2008-2420
The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates.
Products affected by CVE-2008-2420
- cpe:2.3:a:stunnel:stunnel:3.4a:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.14:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.15:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.16:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.21b:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.21c:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.12:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.13:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.21:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.21a:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.17:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.18:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.22:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.24:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.10:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.19:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.20:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.04:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.01:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.02:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.03:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.09:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.10:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.11:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.18:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.19:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.05:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.06:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.14:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.15:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.22:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.12:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.13:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.20:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.21:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.07:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.08:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.16:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.17:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.00:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.25:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.26:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8p2:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8p3:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.23:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8p1:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8p4:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.23:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2420
0.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 63 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2420
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2008-2420
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-2420
-
Red Hat 2008-05-26Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16. Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
References for CVE-2008-2420
-
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00856.html
[SECURITY] Fedora 9 Update: stunnel-4.24-1.fc9
-
http://stunnel.mirt.net/pipermail/stunnel-announce/2008-May/000035.html
-
http://www.securityfocus.com/bid/29309
Patch
-
http://secunia.com/advisories/30425
About Secunia Research | Flexera
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:168
Mandriva
-
http://www.vupen.com/english/advisories/2008/1569/references
Site en construction
-
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00942.html
[SECURITY] Fedora 7 Update: stunnel-4.24-0.fc7
-
http://secunia.com/advisories/30335
About Secunia Research | FlexeraVendor Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00907.html
[SECURITY] Fedora 8 Update: stunnel-4.24-0.fc8
-
http://security.gentoo.org/glsa/glsa-200808-08.xml
stunnel: Security bypass (GLSA 200808-08) — Gentoo security
-
http://secunia.com/advisories/31438
About Secunia Research | Flexera
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/42528
Stunnel OCSP security bypass CVE-2008-2420 Vulnerability Report
Jump to