JLSEC-2026-518

Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-518.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-518.json
JSON Data
https://api.osv.dev/v1/vulns/JLSEC-2026-518
Upstream
Published
2026-05-26T14:17:50.003Z
Modified
2026-05-26T14:30:03.223319201Z
Summary
[none]
Details

GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TLS server always uses wrong data in place of an encryption key derived from an application.

Database specific
{
    "sources": [
        {
            "imported": "2026-05-22T18:34:34.589Z",
            "id": "CVE-2020-13777",
            "database_specific": {
                "status": "Modified"
            },
            "published": "2020-06-04T07:15:10Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13777",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2020-13777",
            "modified": "2024-11-21T05:01:50.330Z"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / GnuTLS_jll

Package

Name
GnuTLS_jll
Purl
pkg:julia/GnuTLS_jll?uuid=0951126a-58fd-58f1-b5b3-b08c7c4a876d

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.1+0

Database specific

source
"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-518.json"