CVSS: 5.0EPSS: 0%CPEs: 95EXPL: 0CVE-2013-0166 – openssl: DoS due to improper handling of OCSP response verification
https://notcve.org/view.php?id=CVE-2013-0166
OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. OpenSSL antes de v0.9.8y, v1.0.0 antes de v1.0.0k y v1.0.1 antes de v1.0.1d no realizar correctamente la verificación de firmas para las respuestas OCSP, permite a atacantes remotos provocar una denegación de servicio (desreferencia puntero NULL y caída de la aplicación) a través de una tecla no válida. • http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7 http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=66e8211c0b1347970096e04b18aa52567c325200 http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ebc71865f0506a293242bd4aec97cdc7a8ef24b0 http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html http: • CWE-310: Cryptographic Issues •
CVSS: 6.8EPSS: 4%CPEs: 99EXPL: 0CVE-2012-2333 – openssl: record length handling integer underflow
https://notcve.org/view.php?id=CVE-2012-2333
Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. Desbordamiento de entero en OpenSSL anteriores a v0.9.8x, v1.0.0 anteriores a v1.0.0j, y v1.0.1 anteriores a v1.0.1c, cuando TLS v1.1, TLS v1.2, o DTLS es usado con cifrado CBC, permite a atacantes remotos a provocar una denegación de servicio (sobre escritura del búfer) o posiblemente tener otros impactos no determinados a través de paquetes TLS manipulados que no son gestionados de forma adecuada en ciertos cálculos de vectores IV concretos. • http://cvs.openssl.org/chngview?cn=22538 http://cvs.openssl.org/chngview?cn=22547 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2012-May/081460.html http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00019.html http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00020.html http://marc.info/?l=bugtraq&m& • CWE-189: Numeric Errors CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 10%CPEs: 91EXPL: 3CVE-2012-2110 – OpenSSL - ASN1 BIO Memory Corruption
https://notcve.org/view.php?id=CVE-2012-2110
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. La función asn1_d2i_read_bio en OpenSSL antes de v0.9.8v, en v1.0.0 antes de v1.0.0i y en v1.0.1 antes de v1.0.1a no interpreta correctamente los enteros, lo que permite realizar ataques de desbordamiento de buffer a atacantes remotos, y provocar una denegación de servicio (por corrupción de memoria) o posiblemente tener un impacto no especificado, a través de datos DER debidamente modificados, como lo demuestra un certificado X.509 o una clave pública RSA. • https://www.exploit-db.com/exploits/18756 http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0209.html http://cvs.openssl.org/chngview?cn=22431 http://cvs.openssl.org/chngview?cn=22434 http://cvs.openssl.org/chngview?cn=22439 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079149.html http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079299.html http://lists.fedoraproje • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2007-5536
https://notcve.org/view.php?id=CVE-2007-5536
Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors. Vulnerabilidad sin especificar en el OpenSSL anterior al A.00.09.07l en el HP-UX B.11.11, B.11.23 y B.11.31 permite a usuarios locales provocar una denegación de servicio a través de vectores sin especificar. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01203958 http://osvdb.org/37894 http://secunia.com/advisories/27265 http://www.securityfocus.com/bid/26093 http://www.vupen.com/english/advisories/2007/3526 https://exchange.xforce.ibmcloud.com/vulnerabilities/37231 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5871 •