CVE-2008-2377

Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via TLS transmission of data that is improperly used when the peer calls gnutls_handshake within a normal session, leading to attempted access to a deallocated libgcrypt handle.

Published: Aug 8, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-2377
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.6
AV:N/AC:H/Au:N/C:C/I:C/A:C

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
gnu / gnutls	2.3.5	2.3.5.x
gnu / gnutls	2.3.8	2.3.8.x
gnu / gnutls	2.3.9	2.3.9.x
gnu / gnutls	2.4.0	2.4.0.x
gnu / gnutls	2.3.7	2.3.7.x
gnu / gnutls	2.3.6	2.3.6.x

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2947
http://secunia.com/advisories/31505
http://www.gnu.org/software/gnutls/security.html
http://www.nabble.com/Details-on-the-gnutls_handshake-local-crash-problem--GNUTLS-SA-2008-2--td18205022.html
http://www.securityfocus.com/bid/30713
http://www.vupen.com/english/advisories/2008/2398
https://exchange.xforce.ibmcloud.com/vulnerabilities/44486
https://issues.rpath.com/browse/RPL-2650

Vulnerability Database

CVE-2008-2377