CVSS: 7.5EPSS: 5%CPEs: 95EXPL: 0CVE-2013-0166 – openssl: DoS due to improper handling of OCSP response verification
https://notcve.org/view.php?id=CVE-2013-0166
08 Feb 2013 — OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. OpenSSL antes de v0.9.8y, v1.0.0 antes de v1.0.0k y v1.0.1 antes de v1.0.1d no realizar correctamente la verificación de firmas para las respuestas OCSP, permite a atacantes remotos provocar una denegación de servicio (desreferencia puntero NUL... • http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 92%CPEs: 13EXPL: 2CVE-2011-1473 – RSA BSAFE SSL-J DoS / Disclosure
https://notcve.org/view.php?id=CVE-2011-1473
16 Jun 2012 — OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within... • https://github.com/zjt674449039/cve-2011-1473 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 5%CPEs: 99EXPL: 0CVE-2012-2333 – openssl: record length handling integer underflow
https://notcve.org/view.php?id=CVE-2012-2333
14 May 2012 — Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. Desbordamiento de entero en OpenSSL anteriores a v0.9.8x, v1.0.0 anteriores a v1.0.0j, y v1.0.1 anteriores a v1.0.1c, cuando TLS v1.1, TLS v1.2, o DTLS ... • http://cvs.openssl.org/chngview?cn=22538 • CWE-189: Numeric Errors CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 6%CPEs: 91EXPL: 3CVE-2012-2110 – OpenSSL - ASN1 BIO Memory Corruption
https://notcve.org/view.php?id=CVE-2012-2110
19 Apr 2012 — The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. La función asn1_d2i_read_bio en OpenSSL antes de v0.9.8v, en v1.0.0 antes de v1.0.0i y en v1.0.1 an... • https://www.exploit-db.com/exploits/18756 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 9%CPEs: 86EXPL: 0CVE-2012-1165 – openssl: mime_param_cmp NULL dereference crash
https://notcve.org/view.php?id=CVE-2012-1165
15 Mar 2012 — The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. La función mime_param_cmp en crypto/asn1/asn_mime.c en OpenSSL anteriores v0.9.8u y v1.x v1.0.0h permite atacantes remotos provocar una denegación de servicio (desreferenciación de punterio NULL y caída de aplicación) a través de men... • http://cvs.openssl.org/chngview?cn=22252 • CWE-399: Resource Management Errors CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 3%CPEs: 66EXPL: 0CVE-2012-0884 – openssl: CMS and PKCS#7 Bleichenbacher attack
https://notcve.org/view.php?id=CVE-2012-0884
13 Mar 2012 — The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. La implementación de Cryptographic Message Syntax (CMS) y PKCS #7 de OpenSSL anteriores a 0.9.8u y 1.x anteriores a 1.0.0h no restringe apropiadamente un determinado uso de información posterior ("oracle ... • http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html • CWE-310: Cryptographic Issues •
CVSS: 6.5EPSS: 4%CPEs: 73EXPL: 0CVE-2006-7250 – openssl: mime_hdr_cmp NULL dereference crash
https://notcve.org/view.php?id=CVE-2006-7250
29 Feb 2012 — The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. La función mime_hdr_cmp en crypto/asn1/asn_mime.c en OpenSSL v0.9.8t y anteriores permite a atacantes remotos causar una denegación de servicio (desreferencia a puntero nulo y caída de la aplicación) a través de un mensaje S/MIME modificado para tal fin. Multiple vulnerabilities have been found in... • http://cvs.openssl.org/chngview?cn=22144 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 59EXPL: 0CVE-2011-4354
https://notcve.org/view.php?id=CVE-2011-4354
27 Jan 2012 — crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. crypto/bn/bn_nist.c en OpenSSL anterior a v0.9.8h en plataformas de 32 bits, como se utiliza en stunnel y otros productos, en... • http://crypto.di.uminho.pt/CACE/CT-RSA2012-openssl-src.zip • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 1%CPEs: 67EXPL: 0CVE-2012-0027
https://notcve.org/view.php?id=CVE-2012-0027
06 Jan 2012 — The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client. El motor GOST en OpenSSL antes de v1.0.0f no controla correctamente los parámetros válidos para el cifrado de bloques GOST, lo que permite a atacantes remotos provocar una denegación de servicio (caída del demonio) a través de datos de un cliente TLS específicamente modificados. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 1%CPEs: 64EXPL: 0CVE-2011-4576 – openssl: uninitialized SSL 3.0 padding
https://notcve.org/view.php?id=CVE-2011-4576
06 Jan 2012 — The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. La implementación SSL v3.0 en OpenSSL antes de v0.9.8s y v1.x antes de v1.0.0f no inicializa correctamente las estructuras de datos para el relleno de bloques de cifrado, lo que podría permitir a atacantes remotos obtener información sensible desci... • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc • CWE-310: Cryptographic Issues •