CVE-2009-1416 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	11%	–	–
2022-04-03	–	–	11%	–	–
2022-05-22	–	–	11%	–	–
2023-03-12	–	–	–	2.84%	–
2023-10-15	–	–	–	2.84%	–
2024-04-07	–	–	–	2.84%	–
2024-06-02	–	–	–	2.84%	–
2024-11-10	–	–	–	2.49%	–
2024-12-22	–	–	–	2.79%	–
2025-02-09	–	–	–	2.79%	–
2025-01-19	–	–	–	2.79%	–
2025-02-16	–	–	–	2.79%	–
2025-03-18	–	–	–	–	5.09%
2025-03-30	–	–	–	–	5.34%
2025-03-30	–	–	–	–	5.34,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	89%
2022-04-03	94%
2022-05-22	95%
2023-03-12	89%
2023-10-15	9%
2024-04-07	91%
2024-06-02	91%
2024-11-10	9%
2024-12-22	9%
2025-02-09	91%
2025-01-19	9%
2025-02-16	91%
2025-03-18	89%
2025-03-30	89%
2025-03-30	89%

// source: https://www.securityfocus.com/bid/34783/info GnuTLS is prone to multiple remote vulnerabilities: - A remote code-execution vulnerability - A denial-of-service vulnerability - A signature-generation vulnerability - A signature-verification vulnerability An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers. Versions prior to GnuTLS 2.6.6 are vulnerable. /* * Small code to reproduce the CVE-2009-1416 bad DSA key problem. * * Build it using: * * gcc -o cve-2009-1416 cve-2009-1416.c -lgnutls * * If your gnutls library is OK then running it will print 'success!'. * * If your gnutls library is buggy then running it will print 'buggy'. * */ #include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <gcrypt.h> #include <gnutls/gnutls.h> int main (void) { gnutls_x509_privkey_t key; gnutls_datum_t p, q, g, y, x; int ret; gnutls_global_init (); gcry_control (GCRYCTL_ENABLE_QUICK_RANDOM, 0); ret = gnutls_x509_privkey_init (&key); if (ret < 0) return 1; ret = gnutls_x509_privkey_generate (key, GNUTLS_PK_DSA, 512, 0); if (ret < 0) return 1; ret = gnutls_x509_privkey_export_dsa_raw (key, &p, &q, &g, &y, &x); if (ret < 0) return 1; if (q.size == 3 && memcmp (q.data, "\x01\x00\x01", 3) == 0) printf ("buggy\n"); else printf ("success!\n"); gnutls_free (p.data); gnutls_free (q.data); gnutls_free (g.data); gnutls_free (y.data); gnutls_free (x.data); gnutls_x509_privkey_deinit (key); gnutls_global_deinit (); return 0; }