{"containers": {"cna": {"affected": [{"product": "gnutls", "vendor": "n/a", "versions": [{"status": "affected", "version": "gnutls 3.7.1"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-30T09:06:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"}, {"tags": ["x_refsource_MISC"], "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"}, {"name": "FEDORA-2021-18bef34f05", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/"}, {"name": "[spark-issues] 20210413 [jira] [Created] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779%40%3Cissues.spark.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210416-0005/"}, {"name": "[spark-issues] 20210417 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210423 [jira] [Resolved] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210425 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Updated] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210429 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210430 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7%40%3Cissues.spark.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-20231", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "gnutls", "version": {"version_data": [{"version_value": "gnutls 3.7.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-416"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"}, {"name": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10", "refsource": "MISC", "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"}, {"name": "FEDORA-2021-18bef34f05", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/"}, {"name": "[spark-issues] 20210413 [jira] [Created] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779@%3Cissues.spark.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20210416-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210416-0005/"}, {"name": "[spark-issues] 20210417 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210423 [jira] [Resolved] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210425 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Updated] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210429 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168@%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210430 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7@%3Cissues.spark.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:30:07.517Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"}, {"name": "FEDORA-2021-18bef34f05", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/"}, {"name": "[spark-issues] 20210413 [jira] [Created] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779%40%3Cissues.spark.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210416-0005/"}, {"name": "[spark-issues] 20210417 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210423 [jira] [Resolved] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210425 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210426 [jira] [Updated] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210429 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168%40%3Cissues.spark.apache.org%3E"}, {"name": "[spark-issues] 20210430 [jira] [Commented] (SPARK-35054) Getting Critical Vulnerability CVE-2021-20231 on spark 3.0.0 branch", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7%40%3Cissues.spark.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-20231", "datePublished": "2021-03-12T18:23:59", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:30:07.517Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:gnutls:*:*:*:*:*:*:*:*", "matchCriteriaId": "66BC7206-28E1-4A23-9701-78ABEA79D0C5", "versionEndExcluding": "3.7.1", "versionStartIncluding": "3.6.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*", "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences."}, {"lang": "es", "value": "Se encontr\u00f3 un defecto en gnutls. Un uso de la memoria previamente liberada en el cliente que env\u00eda la extensi\u00f3n key_share puede conllevar a una corrupci\u00f3n de la memoria y otras consecuencias"}], "id": "CVE-2021-20231", "lastModified": "2023-11-07T03:29:01.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-12T19:15:13.037", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r50661d6f0082709aad9a584431b59ec364f9974b63b07e0800230168%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r5d4001031e7790d8c6396c499522b4ed2aab782da87b1a14184793bb%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r5f88bed447742fcc5c47bf1c7be965ef450131914a6e1f85feba2779%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r6ac143ba6dd98bd4bf6bf010d46e56e254056459721ba18822d611f7%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r9cbc69e57276413788e90a6ee16c7c034ea4258d31935b70db2bd158%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rcd70a4c88a47a75fd2d5f3ffb7cee8c2a18c713320bd90fdcb57495f%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rf5e1256d870193def4a82ad89ab95e63943a313b5ff0d81aa87e4532%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/rfd5273d72d244178441e6904a2f2b41a3268f569e8092ea0b3b2bb20%40%3Cissues.spark.apache.org%3E"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OSLAE6PP33A7VYRYMYMUVB3U6B26GZER/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210416-0005/"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank GnuTLS project for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:4451", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.16-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nettle-0:3.4.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnutls-0:3.6.16-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4451", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "nettle-0:3.4.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "gnutls: Use after free in client key_share extension", "id": "1922276", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1922276"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-416", "details": ["A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.", "A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and denial of service."], "name": "CVE-2021-20231", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gnutls", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-03-12T09:49:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20231\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20231\nhttps://gitlab.com/gnutls/gnutls/-/issues/1151\nhttps://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10"], "statement": "As mentioned in the upstream advisory and GnuTLS issue 1151 (see External References) this flaw is not easily exploitable and it only happens intermittently (denial of service is not always practical). For this reason, this flaw has been rated as having a security impact of Moderate.", "threat_severity": "Moderate", "upstream_fix": "gnutls 3.7.1"}