CVE-2009-1415 : lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle

lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not properly handle invalid DSA signatures, which allows remote attackers to cause a denial of service (application crash) and possibly have unspecified other impact via a malformed DSA key that triggers a (1) free of an uninitialized pointer or (2) double free.

Published 2009-04-30 20:30:01

Updated 2025-04-09 00:30:58

Source MITRE

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Products affected by CVE-2009-1415

GNU » Gnutls
Versions before (<) 2.6.6
cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2009-1415

EPSS FAQ

17.76%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2009-1415

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2009-1415

CWE-255

Assigned by: nvd@nist.gov (Primary)
CWE-824 Access of Uninitialized Pointer

The product accesses or uses a pointer that has not been initialized.

Assigned by: nvd@nist.gov (Primary)

Vendor statements for CVE-2009-1415

Red Hat 2009-09-21

Not vulnerable. This issue did not affect versions of gnutls shipped in Red Hat Enterprise Linux 4 and 5 as it only affected gnutls 2.6.x versions.

References for CVE-2009-1415

https://exchange.xforce.ibmcloud.com/vulnerabilities/50445

GnuTLS libgnutls denial of service CVE-2009-1415 Vulnerability Report
Third Party Advisory;VDB Entry
http://secunia.com/advisories/35211

About Secunia Research | Flexera
Broken Link

CVEs referencing this url
http://www.mandriva.com/security/advisories?name=MDVSA-2009:116

Mandriva
Broken Link

CVEs referencing this url
http://www.vupen.com/english/advisories/2009/1218

Webmail: access your OVH emails on ovhcloud.com | OVHcloud
Broken Link

CVEs referencing this url
http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3515

Broken Link;Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/50257

GnuTLS DSA code execution CVE-2009-1415 Vulnerability Report
Third Party Advisory;VDB Entry
http://security.gentoo.org/glsa/glsa-200905-04.xml

GnuTLS: Multiple vulnerabilities (GLSA 200905-04) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/50260

GnuTLS DSA spoofing CVE-2009-1416 Vulnerability Report
Not Applicable
http://www.securityfocus.com/bid/34783

Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3488

Broken Link;Exploit
http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3502

Broken Link
http://www.securitytracker.com/id?1022157

GoDaddy Domain Name Search
Broken Link;Third Party Advisory;VDB Entry
http://secunia.com/advisories/34842

About Secunia Research | Flexera
Broken Link;Vendor Advisory

CVEs referencing this url