Home > Vulnerability Database > CVE-2016-7444

Mend.io Vulnerability Database

CVE-2016-7444

Date: September 27, 2016

The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc.

Language: C

Severity Score

7.5

Related Resources (11)

Url: https://lists.gnupg.org/pipermail/gnutls-devel/2016-September/008146.html

Url: https://www.gnutls.org/security.html

Url: https://security-tracker.debian.org/tracker/CVE-2016-7444

Url: https://gitlab.com/gnutls/gnutls/commit/964632f37dfdfb914ebc5e49db4fa29af35b1de9

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-7444

Url: https://access.redhat.com/errata/RHSA-2017:2292

Url: https://access.redhat.com/security/cve/CVE-2016-7444

Url: https://security.alpinelinux.org/vuln/CVE-2016-7444

Url: http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00005.html

Url: http://www.securityfocus.com/bid/92893

Url: https://www.mend.io/vulnerability-database/CVE-2016-7444

Severity Score

7.5

Weakness Type (CWE)

Permissions, Privileges, and Access Control

CWE-264

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-7444

Date: September 27, 2016

Language: C

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?