CVE-2015-2091
mod-gnutls < 0.5.1 - Unauthenticated Client Certificate Spoofing via mgs_hook_authz
Title source: llmDescription
The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.
References (4)
Core 4
Core References
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201709-04
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2015/dsa-3177
Issue Tracking x_refsource_confirm
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=578663
Vendor Advisory x_refsource_misc
http://issues.outoforder.cc/view.php?id=93
Scores
EPSS
0.0071
EPSS Percentile
72.6%
Details
CWE
CWE-310
Status
published
Products (1)
apache/mod-gnutls
< 0.5.1
Published
Mar 13, 2015
Tracked Since
Feb 18, 2026