CVE-2015-8313 : GnuTLS incorrectly validates the first byte of padding in CBC modes

GnuTLS incorrectly validates the first byte of padding in CBC modes

Published 2019-12-20 14:15:12

Updated 2020-01-09 17:47:31

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2015-8313

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
GNU » Gnutls
Versions from including (>=) 2.0.0 and up to, including, (<=) 2.12.24
cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

1.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)

http://www.securityfocus.com/bid/78327

GnuTLS Padding Oracle Information Disclosure Vulnerability
Third Party Advisory;VDB Entry
http://www.securityfocus.com/archive/1/537012/100/0/threaded

SecurityFocus
Third Party Advisory;VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8313

1287572 – (CVE-2015-8313) CVE-2015-8313 gnutls: First byte of the padding in CBC mode is not checked
Issue Tracking;Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2015-8313

CVE-2015-8313
Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2015-8313

Bug 957568 – VUL-0: CVE-2015-8313: gnutls: First byte of the padding in CBC mode is not checked
Issue Tracking;Patch;Third Party Advisory
http://www.debian.org/security/2015/dsa-3408

Debian -- Security Information -- DSA-3408-1 gnutls26
Third Party Advisory
https://blog.hboeck.de/archives/877-A-little-POODLE-left-in-GnuTLS-old-versions.html

A little POODLE left in GnuTLS (old versions) - Hanno's blog
Third Party Advisory

Jump to