- Home
- CVEs with nessus.description==According to its banner, the remote web server uses a version of OpenSSL 1.0.1 prior to 1.0.1m. The OpenSSL library is, therefore, affected by the following vulnerabilities :
- A use-after-free condition exists in the d2i_ECPrivateKey() function due to improper processing of malformed EC private key files during import. A remote attacker can exploit this to dereference or free already freed memory, resulting in a denial of service or other unspecified impact. (CVE-2015-0209)
- An invalid read flaw exists in the ASN1_TYPE_cmp() function due to improperly performed boolean-type comparisons. A remote attacker can exploit this, via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature, to cause an invalid read operation, resulting in a denial of service.
(CVE-2015-0286)
- A flaw exists in the ASN1_item_ex_d2i() function due to a failure to reinitialize 'CHOICE' and 'ADB' data structures when reusing a structure in ASN.1 parsing.
This allows a remote attacker to cause an invalid write operation and memory corruption, resulting in a denial of service. (CVE-2015-0287)
- A NULL pointer dereference flaw exists in the X509_to_X509_REQ() function due to improper processing of certificate keys. This allows a remote attacker, via a crafted X.509 certificate, to cause a denial of service. (CVE-2015-0288)
- A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing outer ContentInfo. This allows a remote attacker, using an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, to cause a denial of service. (CVE-2015-0289)
- A flaw exists in servers that both support SSLv2 and enable export cipher suites due to improper implementation of SSLv2. A remote attacker can exploit this, via a crafted CLIENT-MASTER-KEY message, to cause a denial of service. (CVE-2015-0293)
- A key disclosure vulnerability exists in the SSLv2 implementation in the get_client_master_key() function due to the acceptance of a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher. A man-in-the-middle attacker can exploit this to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.
(CVE-2016-0703)
- An information disclosure vulnerability exists in the SSLv2 implementation in the get_client_master_key() function due to incorrectly overwriting MASTER-KEY bytes during use of export cipher suites. A remote attacker can exploit this to create a Bleichenbacher oracle.
(CVE-2016-0704)
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top