CVE-2014-8155
GnuTLS < 2.9.10 - Certificate Validation Bypass via Invalid CA Certificate Dates
Title source: llmDescription
GnuTLS before 2.9.10 does not verify the activation and expiration dates of CA certificates, which allows man-in-the-middle attackers to spoof servers via a certificate issued by a CA certificate that is (1) not yet valid or (2) no longer valid.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/73317
Patch x_refsource_confirm
https://gitlab.com/gnutls/gnutls/commit/897cbce62c0263a498088ac3e465aa5f05f8719c
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K53330207
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2015-1457.html
Scores
EPSS
0.0029
EPSS Percentile
52.1%
Details
CWE
CWE-17
Status
published
Products (1)
gnu/gnutls
< 2.9.9
Published
Aug 14, 2015
Tracked Since
Feb 18, 2026