CVE-2008-2420 [Medium] | Security Bypass in Stunnel

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.49%	1.36%	+0.88%
2	2025-03-30	0.85%	0.49%	-0.36%
3	2025-03-29	—	0.85%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.49%

1.36%

+0.88%

2025-03-30

0.85%

0.49%

-0.36%

2025-03-29

—

0.85%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
6.8	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	8.6	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

6.8

2.0

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

8.6

6.4

[email protected]

OS Trackers for CVE-2008-2420

vendor	priority	summary	link
`debian`	low	CVE-2008-2420 low priority: Debian including 1 source packages (stunnel4), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): resolved 4.	https://security-tracker.debian.org/tracker/CVE-2008-2420
`gentoo`	low	CVE-2008-2420: 1 GLSA(s) (200808-08), 1 atom(s) (net-misc/stunnel); latest impact low.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-2420
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2008-2420
`ubuntu`	medium	CVE-2008-2420 medium priority: Ubuntu including 1 source packages (stunnel4), 12 status rows across 12 suites (dapper, feisty, gutsy, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 7, ignored 4, released 1.	https://ubuntu.com/security/CVE-2008-2420

Vendor comments (NVD) for CVE-2008-2420

Red Hat (2008-05-26T00:00:00)
Not vulnerable. OCSP protocol support was only implemented in upstream stunnel version 4.16. Therefore OCSP protocol is not available in the versions of stunnel as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Affected software / configurations for CVE-2008-2420

Vendor	Product	Version	Raw CPE
stunnel	stunnel	3.4a	cpe:2.3:a:stunnel:stunnel:3.4a:::::::*
stunnel	stunnel	3.5	cpe:2.3:a:stunnel:stunnel:3.5:::::::*
stunnel	stunnel	3.6	cpe:2.3:a:stunnel:stunnel:3.6:::::::*
stunnel	stunnel	3.7	cpe:2.3:a:stunnel:stunnel:3.7:::::::*
stunnel	stunnel	3.8	cpe:2.3:a:stunnel:stunnel:3.8:::::::*
stunnel	stunnel	3.8p1	cpe:2.3:a:stunnel:stunnel:3.8p1:::::::*
stunnel	stunnel	3.8p2	cpe:2.3:a:stunnel:stunnel:3.8p2:::::::*
stunnel	stunnel	3.8p3	cpe:2.3:a:stunnel:stunnel:3.8p3:::::::*
stunnel	stunnel	3.8p4	cpe:2.3:a:stunnel:stunnel:3.8p4:::::::*
stunnel	stunnel	3.9	cpe:2.3:a:stunnel:stunnel:3.9:::::::*
stunnel	stunnel	3.10	cpe:2.3:a:stunnel:stunnel:3.10:::::::*
stunnel	stunnel	3.11	cpe:2.3:a:stunnel:stunnel:3.11:::::::*
stunnel	stunnel	3.12	cpe:2.3:a:stunnel:stunnel:3.12:::::::*
stunnel	stunnel	3.13	cpe:2.3:a:stunnel:stunnel:3.13:::::::*
stunnel	stunnel	3.14	cpe:2.3:a:stunnel:stunnel:3.14:::::::*
stunnel	stunnel	3.15	cpe:2.3:a:stunnel:stunnel:3.15:::::::*
stunnel	stunnel	3.16	cpe:2.3:a:stunnel:stunnel:3.16:::::::*
stunnel	stunnel	3.17	cpe:2.3:a:stunnel:stunnel:3.17:::::::*
stunnel	stunnel	3.18	cpe:2.3:a:stunnel:stunnel:3.18:::::::*
stunnel	stunnel	3.19	cpe:2.3:a:stunnel:stunnel:3.19:::::::*
stunnel	stunnel	3.20	cpe:2.3:a:stunnel:stunnel:3.20:::::::*
stunnel	stunnel	3.21	cpe:2.3:a:stunnel:stunnel:3.21:::::::*
stunnel	stunnel	3.21a	cpe:2.3:a:stunnel:stunnel:3.21a:::::::*
stunnel	stunnel	3.21b	cpe:2.3:a:stunnel:stunnel:3.21b:::::::*
stunnel	stunnel	3.21c	cpe:2.3:a:stunnel:stunnel:3.21c:::::::*
stunnel	stunnel	3.22	cpe:2.3:a:stunnel:stunnel:3.22:::::::*
stunnel	stunnel	3.23	cpe:2.3:a:stunnel:stunnel:3.23:::::::*
stunnel	stunnel	3.24	cpe:2.3:a:stunnel:stunnel:3.24:::::::*
stunnel	stunnel	3.25	cpe:2.3:a:stunnel:stunnel:3.25:::::::*
stunnel	stunnel	3.26	cpe:2.3:a:stunnel:stunnel:3.26:::::::*
stunnel	stunnel	4.00	cpe:2.3:a:stunnel:stunnel:4.00:::::::*
stunnel	stunnel	4.01	cpe:2.3:a:stunnel:stunnel:4.01:::::::*
stunnel	stunnel	4.02	cpe:2.3:a:stunnel:stunnel:4.02:::::::*
stunnel	stunnel	4.03	cpe:2.3:a:stunnel:stunnel:4.03:::::::*
stunnel	stunnel	4.04	cpe:2.3:a:stunnel:stunnel:4.04:::::::*
stunnel	stunnel	4.05	cpe:2.3:a:stunnel:stunnel:4.05:::::::*
stunnel	stunnel	4.06	cpe:2.3:a:stunnel:stunnel:4.06:::::::*
stunnel	stunnel	4.07	cpe:2.3:a:stunnel:stunnel:4.07:::::::*
stunnel	stunnel	4.08	cpe:2.3:a:stunnel:stunnel:4.08:::::::*
stunnel	stunnel	4.09	cpe:2.3:a:stunnel:stunnel:4.09:::::::*
stunnel	stunnel	4.10	cpe:2.3:a:stunnel:stunnel:4.10:::::::*
stunnel	stunnel	4.11	cpe:2.3:a:stunnel:stunnel:4.11:::::::*
stunnel	stunnel	4.12	cpe:2.3:a:stunnel:stunnel:4.12:::::::*
stunnel	stunnel	4.13	cpe:2.3:a:stunnel:stunnel:4.13:::::::*
stunnel	stunnel	4.14	cpe:2.3:a:stunnel:stunnel:4.14:::::::*
stunnel	stunnel	4.15	cpe:2.3:a:stunnel:stunnel:4.15:::::::*
stunnel	stunnel	4.16	cpe:2.3:a:stunnel:stunnel:4.16:::::::*
stunnel	stunnel	4.17	cpe:2.3:a:stunnel:stunnel:4.17:::::::*
stunnel	stunnel	4.18	cpe:2.3:a:stunnel:stunnel:4.18:::::::*
stunnel	stunnel	4.19	cpe:2.3:a:stunnel:stunnel:4.19:::::::*
stunnel	stunnel	4.20	cpe:2.3:a:stunnel:stunnel:4.20:::::::*
stunnel	stunnel	4.21	cpe:2.3:a:stunnel:stunnel:4.21:::::::*
stunnel	stunnel	4.22	cpe:2.3:a:stunnel:stunnel:4.22:::::::*
stunnel	stunnel	4.23	cpe:2.3:a:stunnel:stunnel:4.23:::::::*

References for CVE-2008-2420

URL	Tags
http://secunia.com/advisories/30335	Vendor Advisory
http://secunia.com/advisories/30425
http://secunia.com/advisories/31438
http://security.gentoo.org/glsa/glsa-200808-08.xml
http://stunnel.mirt.net/pipermail/stunnel-announce/2008-May/000035.html
http://www.mandriva.com/security/advisories?name=MDVSA-2008:168
http://www.securityfocus.com/bid/29309	Patch
http://www.vupen.com/english/advisories/2008/1569/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/42528
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00856.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00907.html
https://www.redhat.com/archives/fedora-package-announce/2008-May/msg00942.html

URL

CVE-2008-2420

Exploit prediction scoring system (EPSS) score for CVE-2008-2420

Common vulnerability scoring system (CVSS) metrics for CVE-2008-2420

Weakness enumeration for CVE-2008-2420

OS Trackers for CVE-2008-2420

Vendor comments (NVD) for CVE-2008-2420

Affected software / configurations for CVE-2008-2420

References for CVE-2008-2420