VDB
CVE-2020-13777
CVE-2020-13777
PUBLISHED
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.
EPSS 1.21% · 79.4th percentile
Risk Scores
EPSS Score
1.21%
79.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | gnutls28 | 3.6.9-5ubuntu1, 3.6.9-5ubuntu2, 3.6.11.1-2ubuntu2 |
Timeline
- CVE Published
- Jun 15, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 13, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-13777 third-party-advisory
- https://gnutls.org/security-new.html#GNUTLS-SA-2020-06-03 third-party-advisory
- https://ubuntu.com/security/notices/USN-4384-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-13777 third-party-advisory