Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-2420

The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates.

Published

2008-05-23T15:32:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 6.8 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-264

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	stunnel	stunnel	3.4a	Yes
Application	stunnel	stunnel	3.5	Yes
Application	stunnel	stunnel	3.6	Yes
Application	stunnel	stunnel	3.7	Yes
Application	stunnel	stunnel	3.8	Yes
Application	stunnel	stunnel	3.8p1	Yes
Application	stunnel	stunnel	3.8p2	Yes
Application	stunnel	stunnel	3.8p3	Yes
Application	stunnel	stunnel	3.8p4	Yes
Application	stunnel	stunnel	3.9	Yes
Application	stunnel	stunnel	3.10	Yes
Application	stunnel	stunnel	3.11	Yes
Application	stunnel	stunnel	3.12	Yes
Application	stunnel	stunnel	3.13	Yes
Application	stunnel	stunnel	3.14	Yes
Application	stunnel	stunnel	3.15	Yes
Application	stunnel	stunnel	3.16	Yes
Application	stunnel	stunnel	3.17	Yes
Application	stunnel	stunnel	3.18	Yes
Application	stunnel	stunnel	3.19	Yes
Application	stunnel	stunnel	3.20	Yes
Application	stunnel	stunnel	3.21	Yes
Application	stunnel	stunnel	3.21a	Yes
Application	stunnel	stunnel	3.21b	Yes
Application	stunnel	stunnel	3.21c	Yes
Application	stunnel	stunnel	3.22	Yes
Application	stunnel	stunnel	3.23	Yes
Application	stunnel	stunnel	3.24	Yes
Application	stunnel	stunnel	3.25	Yes
Application	stunnel	stunnel	3.26	Yes
Application	stunnel	stunnel	4.00	Yes
Application	stunnel	stunnel	4.01	Yes
Application	stunnel	stunnel	4.02	Yes
Application	stunnel	stunnel	4.03	Yes
Application	stunnel	stunnel	4.04	Yes
Application	stunnel	stunnel	4.05	Yes
Application	stunnel	stunnel	4.06	Yes
Application	stunnel	stunnel	4.07	Yes
Application	stunnel	stunnel	4.08	Yes
Application	stunnel	stunnel	4.09	Yes
Application	stunnel	stunnel	4.10	Yes
Application	stunnel	stunnel	4.11	Yes
Application	stunnel	stunnel	4.12	Yes
Application	stunnel	stunnel	4.13	Yes
Application	stunnel	stunnel	4.14	Yes
Application	stunnel	stunnel	4.15	Yes
Application	stunnel	stunnel	4.16	Yes
Application	stunnel	stunnel	4.17	Yes
Application	stunnel	stunnel	4.18	Yes
Application	stunnel	stunnel	4.19	Yes
Application	stunnel	stunnel	4.20	Yes
Application	stunnel	stunnel	4.21	Yes
Application	stunnel	stunnel	4.22	Yes
Application	stunnel	stunnel	4.23	Yes

References

http://secunia.com/advisories/30335 Vendor Advisory ([email protected])
http://secunia.com/advisories/30425 ([email protected])
http://secunia.com/advisories/31438 ([email protected])
http://security.gentoo.org/glsa/glsa-200808-08.xml ([email protected])
http://stunnel.mirt.net/pipermail/stunnel-announce/2008-May/000035.html ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2008:168 ([email protected])
http://www.securityfocus.com/bid/29309 Patch ([email protected])
http://www.vupen.com/english/advisories/2008/1569/references ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/42528 ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00856.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00907.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00942.html ([email protected])
http://secunia.com/advisories/30335 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/30425 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/31438 (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200808-08.xml (af854a3a-2127-422b-91ae-364da2661108)
http://stunnel.mirt.net/pipermail/stunnel-announce/2008-May/000035.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2008:168 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/29309 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/1569/references (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/42528 (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00856.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00907.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00942.html (af854a3a-2127-422b-91ae-364da2661108)