mod_gnutls falta la verificación del propósito de la clave en la verificación del certificado del cliente
Plataforma
apache
Componente
mod_gnutls
Corregido en
0.13.1
CVE-2026-33308 is a medium-severity vulnerability affecting modgnutls, a TLS module for Apache HTTPD. This flaw stems from inadequate verification of the key purpose within client certificates, potentially allowing unauthorized access. Versions of modgnutls prior to 0.13.0 are vulnerable, while servers not utilizing client certificate authentication are unaffected.
Impacto y Escenarios de Ataquetraduciendo…
An attacker exploiting this vulnerability could leverage a valid client certificate issued by a trusted Certificate Authority (CA), but with a key purpose not intended for TLS client authentication. By presenting this certificate, the attacker could bypass the intended authentication checks and gain access to resources requiring TLS client authentication. The potential impact includes unauthorized data access, modification, or deletion, depending on the privileges associated with the authenticated user. This vulnerability highlights the importance of proper certificate validation and key usage restrictions in TLS configurations.
Contexto de Explotacióntraduciendo…
This CVE was publicly disclosed on 2026-03-24. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is contingent on the configuration of Apache HTTPD and the use of TLS client authentication.
Quién Está en Riesgotraduciendo…
Organizations running Apache HTTPD with mod_gnutls versions prior to 0.13.0 and utilizing TLS client authentication are at risk. This includes environments relying on client certificates for secure access to web applications and APIs, particularly those with legacy systems or custom authentication implementations.
Pasos de Deteccióntraduciendo…
• apache / server:
# Check mod_gnutls version
httpd -M | grep gnutls
# Review Apache configuration for GnuTLSClientVerify directive
grep -r 'GnuTLSClientVerify' /etc/httpd/conf/*Cronología del Ataque
- Disclosure
disclosure
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Alta — requiere condición de carrera, configuración no predeterminada o circunstancias específicas. Más difícil de explotar.
- Privileges Required
- Ninguno — sin autenticación. No se necesitan credenciales para explotar.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Cambiado — el ataque puede pivotar a otros sistemas más allá del componente vulnerable.
- Confidentiality
- Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
- Integrity
- Ninguno — sin impacto en integridad.
- Availability
- Ninguno — sin impacto en disponibilidad.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Reservado
- Publicada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2026-33308 is to upgrade mod_gnutls to version 0.13.0 or later. If an immediate upgrade is not feasible due to compatibility issues, consider temporarily disabling TLS client authentication (GnuTLSClientVerify ignore) as a workaround, though this significantly reduces security. Review your Apache configuration to ensure client certificate verification is only enabled where absolutely necessary. After upgrading, verify the fix by attempting to authenticate with a certificate having an incorrect key purpose; authentication should fail.
Cómo corregirlo
Actualice mod_gnutls a la versión 0.13.0 o superior. Esta versión corrige la verificación del propósito de la clave en la verificación del certificado del cliente. Si no es posible actualizar, revise la configuración de GnuTLSClientKeyPurpose para asegurar que el propósito de la clave sea el esperado.
Boletín de seguridad CVE
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
Preguntas frecuentestraduciendo…
What is CVE-2026-33308 — TLS Verification Bypass in mod_gnutls?
CVE-2026-33308 is a medium-severity vulnerability in mod_gnutls (≤ 0.13.0) that allows attackers to bypass TLS client authentication by exploiting improper certificate key purpose checks.
Am I affected by CVE-2026-33308 in mod_gnutls?
You are affected if you are running Apache HTTPD with mod_gnutls version 0.13.0 or earlier and have TLS client authentication enabled. Servers without client certificate verification are not affected.
How do I fix CVE-2026-33308 in mod_gnutls?
Upgrade mod_gnutls to version 0.13.0 or later. As a temporary workaround, disable TLS client authentication (GnuTLSClientVerify ignore), but be aware of the security implications.
Is CVE-2026-33308 being actively exploited?
As of the last update, there are no known public exploits or active campaigns targeting CVE-2026-33308.
Where can I find the official Apache advisory for CVE-2026-33308?
Refer to the Apache Security page for the latest information and official advisories: https://httpd.apache.org/security/
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.