Description
There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:
- A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic
within the certtool utility. When it reads certain settings from a template file, it allows an attacker to
cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service
(DoS) that could potentially crash the system. (CVE-2025-32990)
- A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient
algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to
increased resource consumption. This flaw allows a remote attacker to send a specially crafted
certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
(CVE-2024-12243)
- A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().
(CVE-2025-6395)
- A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that
handles PKCS#11 token initialization. When a token label longer than expected is processed, the function
writes past the end of a fixed-size stack buffer. This programming error can cause the application using
GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or
applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation
attacks. (CVE-2025-9820)
- A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central
Processing Unit) and memory consumption via specially crafted malicious certificates containing a large
number of name constraints and subject alternative names (SANs). (CVE-2025-14831)
Plugin Details
Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 2/10/2025