CVE-2008-2420
Summary
| CVE | CVE-2008-2420 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2008-05-23 15:32:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | The OCSP functionality in stunnel before 4.24 does not properly search certificate revocation lists (CRL), which allows remote attackers to bypass intended access restrictions by using revoked certificates. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:M/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Stunnel | Stunnel | 3.10 | All | All | All |
| Application | Stunnel | Stunnel | 3.11 | All | All | All |
| Application | Stunnel | Stunnel | 3.12 | All | All | All |
| Application | Stunnel | Stunnel | 3.13 | All | All | All |
| Application | Stunnel | Stunnel | 3.14 | All | All | All |
| Application | Stunnel | Stunnel | 3.15 | All | All | All |
| Application | Stunnel | Stunnel | 3.16 | All | All | All |
| Application | Stunnel | Stunnel | 3.17 | All | All | All |
| Application | Stunnel | Stunnel | 3.18 | All | All | All |
| Application | Stunnel | Stunnel | 3.19 | All | All | All |
| Application | Stunnel | Stunnel | 3.20 | All | All | All |
| Application | Stunnel | Stunnel | 3.21 | All | All | All |
| Application | Stunnel | Stunnel | 3.21a | All | All | All |
| Application | Stunnel | Stunnel | 3.21b | All | All | All |
| Application | Stunnel | Stunnel | 3.21c | All | All | All |
| Application | Stunnel | Stunnel | 3.22 | All | All | All |
| Application | Stunnel | Stunnel | 3.23 | All | All | All |
| Application | Stunnel | Stunnel | 3.24 | All | All | All |
| Application | Stunnel | Stunnel | 3.25 | All | All | All |
| Application | Stunnel | Stunnel | 3.26 | All | All | All |
| Application | Stunnel | Stunnel | 3.4a | All | All | All |
| Application | Stunnel | Stunnel | 3.5 | All | All | All |
| Application | Stunnel | Stunnel | 3.6 | All | All | All |
| Application | Stunnel | Stunnel | 3.7 | All | All | All |
| Application | Stunnel | Stunnel | 3.8 | All | All | All |
| Application | Stunnel | Stunnel | 3.8p1 | All | All | All |
| Application | Stunnel | Stunnel | 3.8p2 | All | All | All |
| Application | Stunnel | Stunnel | 3.8p3 | All | All | All |
| Application | Stunnel | Stunnel | 3.8p4 | All | All | All |
| Application | Stunnel | Stunnel | 3.9 | All | All | All |
| Application | Stunnel | Stunnel | 4.00 | All | All | All |
| Application | Stunnel | Stunnel | 4.01 | All | All | All |
| Application | Stunnel | Stunnel | 4.02 | All | All | All |
| Application | Stunnel | Stunnel | 4.03 | All | All | All |
| Application | Stunnel | Stunnel | 4.04 | All | All | All |
| Application | Stunnel | Stunnel | 4.05 | All | All | All |
| Application | Stunnel | Stunnel | 4.06 | All | All | All |
| Application | Stunnel | Stunnel | 4.07 | All | All | All |
| Application | Stunnel | Stunnel | 4.08 | All | All | All |
| Application | Stunnel | Stunnel | 4.09 | All | All | All |
| Application | Stunnel | Stunnel | 4.10 | All | All | All |
| Application | Stunnel | Stunnel | 4.11 | All | All | All |
| Application | Stunnel | Stunnel | 4.12 | All | All | All |
| Application | Stunnel | Stunnel | 4.13 | All | All | All |
| Application | Stunnel | Stunnel | 4.14 | All | All | All |
| Application | Stunnel | Stunnel | 4.15 | All | All | All |
| Application | Stunnel | Stunnel | 4.16 | All | All | All |
| Application | Stunnel | Stunnel | 4.17 | All | All | All |
| Application | Stunnel | Stunnel | 4.18 | All | All | All |
| Application | Stunnel | Stunnel | 4.19 | All | All | All |
| Application | Stunnel | Stunnel | 4.20 | All | All | All |
| Application | Stunnel | Stunnel | 4.21 | All | All | All |
| Application | Stunnel | Stunnel | 4.22 | All | All | All |
| Application | Stunnel | Stunnel | 4.23 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 9 Update: stunnel-4.24-1.fc9 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| [SECURITY] Fedora 7 Update: stunnel-4.24-0.fc7 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| Fedora update for stunnel - Advisories - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Gentoo update for stunnel - Secunia Advisories - Vulnerability Intelligence - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Support / Security / Advisories / / MDVSA-2008:168 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | |
| Webmail - OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | |
| [SECURITY] Fedora 8 Update: stunnel-4.24-0.fc8 | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| [stunnel-announce] stunnel 4.24 released | af854a3a-2127-422b-91ae-364da2661108 | stunnel.mirt.net | |
| Stunnel OCSP Revoked Certificate Security Issue - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Vendor Advisory |
| Stunnel OCSP Certificate Validation Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Patch |
| stunnel: Security bypass — Gentoo Linux Documentation | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2008-05-26 | Mark J Cox | Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16. Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. |
There are currently no legacy QID mappings associated with this CVE.