<p>Upgrade <code>Debian:11</code> <code>gnutls28</code> to version 3.6.14-1 or higher.</p>

Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.6.14-1

Threat Intelligence

0.34% (72^nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-DEBIAN11-GNUTLS28-571256
published 4 Jun 2020
disclosed 4 Jun 2020

Report a new vulnerability Found a mistake?

Introduced: 4 Jun 2020

CVE-2020-13777 Open this link in a new tab CWE-327 Open this link in a new tab

How to fix?

Upgrade Debian:11 gnutls28 to version 3.6.14-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

High
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

None

Use of a Broken or Risky Cryptographic Algorithm Affecting gnutls28 package, versions <3.6.14-1

Severity

Snyk's Security Team recommends NVD's CVSS assessment