{
  "threat_severity" : "Moderate",
  "public_date" : "2021-03-12T09:49:00Z",
  "bugzilla" : {
    "description" : "gnutls: Use after free in client key_share extension",
    "id" : "1922276",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and denial of service." ],
  "statement" : "As mentioned in the upstream advisory and GnuTLS issue 1151 (see External References) this flaw is not easily exploitable and it only happens intermittently (denial of service is not always practical). For this reason, this flaw has been rated as having a security impact of Moderate.",
  "acknowledgement" : "Red Hat would like to thank GnuTLS project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20231\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20231\nhttps://gitlab.com/gnutls/gnutls/-/issues/1151\nhttps://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10" ],
  "name" : "CVE-2021-20231",
  "csaw" : false
}