{
  "threat_severity" : "Moderate",
  "public_date" : "2019-03-27T00:00:00Z",
  "bugzilla" : {
    "description" : "gnutls: invalid pointer access upon receiving async handshake messages",
    "id" : "1678411",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1678411"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-456",
  "details" : [ "It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versions 3.6.3 or later which can be triggered by certain post-handshake messages.", "A flaw was found in the way gnutls handled malformed TLS 1.3 asynchronous messages. An attacker could use this flaw to crash an application compiled with gnutls via invalid pointer access." ],
  "acknowledgement" : "This issue was discovered by Hubert Kario (Red Hat QE BaseOS Security team).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-11-05T00:00:00Z",
    "advisory" : "RHSA-2019:3600",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.8-8.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2019-11-05T00:00:00Z",
    "advisory" : "RHSA-2019:3600",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.8-8.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3836\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3836\nhttps://www.gnutls.org/security-new.html#GNUTLS-SA-2019-03-27" ],
  "name" : "CVE-2019-3836",
  "csaw" : false
}