{
  "threat_severity" : "Moderate",
  "public_date" : "2021-03-12T09:54:00Z",
  "bugzilla" : {
    "description" : "gnutls: Use after free in client_send_params in lib/ext/pre_shared_key.c",
    "id" : "1922275",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1922275"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-416",
  "details" : [ "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.", "A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and denial of service." ],
  "statement" : "As mentioned in the upstream advisory and GnuTLS issue 1151 (see External References) this flaw is not easily exploitable and it only happens intermittently (denial of service is not always practical). For this reason, this flaw has been rated as having a security impact of Moderate.",
  "acknowledgement" : "Red Hat would like to thank GnuTLS project for reporting this issue. Upstream acknowledges Ivan Nikolchev as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "gnutls-0:3.6.16-4.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-11-09T00:00:00Z",
    "advisory" : "RHSA-2021:4451",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "nettle-0:3.4.1-7.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "gnutls",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-20232\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20232\nhttps://gitlab.com/gnutls/gnutls/-/issues/1151\nhttps://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10" ],
  "name" : "CVE-2021-20232",
  "csaw" : false
}