{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-19T10:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"}, {"name": "DSA-4697", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2020/dsa-4697"}, {"name": "FEDORA-2020-0cce3578e2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/"}, {"name": "GLSA-202006-01", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202006-01"}, {"name": "USN-4384-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4384-1/"}, {"name": "openSUSE-SU-2020:0790", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html"}, {"name": "FEDORA-2020-76b705bb63", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/"}, {"name": "FEDORA-2020-ea11cb5ccc", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/"}, {"name": "FEDORA-2020-4f78f122a3", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200619-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13777", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03", "refsource": "CONFIRM", "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"}, {"name": "DSA-4697", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2020/dsa-4697"}, {"name": "FEDORA-2020-0cce3578e2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/"}, {"name": "GLSA-202006-01", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202006-01"}, {"name": "USN-4384-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4384-1/"}, {"name": "openSUSE-SU-2020:0790", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html"}, {"name": "FEDORA-2020-76b705bb63", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/"}, {"name": "FEDORA-2020-ea11cb5ccc", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/"}, {"name": "FEDORA-2020-4f78f122a3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/"}, {"name": "https://security.netapp.com/advisory/ntap-20200619-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200619-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:25:16.491Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"}, {"name": "DSA-4697", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2020/dsa-4697"}, {"name": "FEDORA-2020-0cce3578e2", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/"}, {"name": "GLSA-202006-01", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202006-01"}, {"name": "USN-4384-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4384-1/"}, {"name": "openSUSE-SU-2020:0790", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html"}, {"name": "FEDORA-2020-76b705bb63", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/"}, {"name": "FEDORA-2020-ea11cb5ccc", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/"}, {"name": "FEDORA-2020-4f78f122a3", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200619-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13777", "datePublished": "2020-06-04T07:01:07", "dateReserved": "2020-06-03T00:00:00", "dateUpdated": "2024-08-04T12:25:16.491Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D9A3007-021D-4104-8BE1-1F3B205D832A", "versionEndExcluding": "3.6.14", "versionStartIncluding": "3.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application."}, {"lang": "es", "value": "GnuTLS versiones 3.6.x anteriores a 3.6.14, usa una criptograf\u00eda incorrecta para cifrar un ticket de sesi\u00f3n (una p\u00e9rdida de confidencialidad en TLS versi\u00f3n 1.2, y un desv\u00edo de autenticaci\u00f3n en TLS versi\u00f3n 1.3). La primera versi\u00f3n afectada es la 3.6.4 (24-09-2018) debido a un error en un commit del 18-09-2018. Hasta la primera rotaci\u00f3n de claves, el servidor TLS siempre utiliza datos err\u00f3neos en lugar de una clave de cifrado derivada de una aplicaci\u00f3n"}], "id": "CVE-2020-13777", "lastModified": "2024-11-21T05:01:50.330", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T07:15:10.000", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202006-01"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200619-0004/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4384-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4697"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6C4DHUKV6M6SJ5CV6KVHZNHNF7HCUE5P/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RTXZOXC4MHTFE2HKY6IAZMF2WHD2WMV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RRQBFK3UZ7SV76IYDTS4PS6ABS2DSJHK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMB3UGI5H5RCFRU6OGRPMNUCNLJGEN7Y/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202006-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200619-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4384-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2020/dsa-4697"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-327"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:2637", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.8-11.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-06-22T00:00:00Z"}, {"advisory": "RHSA-2020:2637", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.8-11.el8_2", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-06-22T00:00:00Z"}, {"advisory": "RHSA-2020:2639", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "gnutls-0:3.6.5-3.el8_0", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-06-22T00:00:00Z"}, {"advisory": "RHSA-2020:2638", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "gnutls-0:3.6.8-9.el8_1", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2020-06-22T00:00:00Z"}], "bugzilla": {"description": "gnutls: session resumption works without master key allowing MITM", "id": "1843723", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843723"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-345", "details": ["GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.", "A flaw was found in GnuTLS, in versions starting from 3.6.4, where it does not session the ticket encryption key in a secure fashion by the application which is connecting. This flaw allows an attacker to craft a man-in-the-middle-attack, with the ability to bypass the TLS1.3 authentication and also recover older conversations when TLS1.2 is in use. The highest threat to this flaw is to confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "There's no available mitigation for this issue."}, "name": "CVE-2020-13777", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-13777\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13777\nhttps://www.gnutls.org/security-new.html#GNUTLS-SA-2020-06-03"], "statement": "GnuTLS versions as shipped with Red Hat Enterprise Linux 7 and earlier are not affected, as the bug was introduced in upstream at GnuTLS version 3.6.4. The older versions do not carry the affected code.", "threat_severity": "Important"}