CVSS: 7.5EPSS: 1%CPEs: 95EXPL: 0CVE-2013-0166 – openssl: DoS due to improper handling of OCSP response verification
https://notcve.org/view.php?id=CVE-2013-0166
08 Feb 2013 — OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. OpenSSL antes de v0.9.8y, v1.0.0 antes de v1.0.0k y v1.0.1 antes de v1.0.1d no realizar correctamente la verificación de firmas para las respuestas OCSP, permite a atacantes remotos provocar una denegación de servicio (desreferencia puntero NUL... • http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7 • CWE-310: Cryptographic Issues •
CVSS: 5.9EPSS: 0%CPEs: 72EXPL: 0CVE-2013-0169 – SSL/TLS: CBC padding timing attack (lucky-13)
https://notcve.org/view.php?id=CVE-2013-0169
08 Feb 2013 — The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue. El protocolo TLS v1.1 y v1.2 y el protocolo DTLS v1.0 y v1.2, tal como se... • http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released • CWE-310: Cryptographic Issues •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2011-5095
https://notcve.org/view.php?id=CVE-2011-5095
20 Jun 2012 — The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public parameter, which makes it easier for man-in-the-middle attackers to obtain the shared secret key by modifying network traffic, a related issue to CVE-2011-1923. La implementación de intercambio de claves Diffie-Hellman en OpenSSL v0.9.8, cuando estaba habilitado FIPS, no valida correctamente un parámetro público, lo que hace que sea más facil a atacantes man-in-the-middle el obtene... • http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 59%CPEs: 13EXPL: 2CVE-2011-1473 – RSA BSAFE SSL-J DoS / Disclosure
https://notcve.org/view.php?id=CVE-2011-1473
16 Jun 2012 — OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within... • https://github.com/zjt674449039/cve-2011-1473 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 4%CPEs: 99EXPL: 0CVE-2012-2333 – openssl: record length handling integer underflow
https://notcve.org/view.php?id=CVE-2012-2333
14 May 2012 — Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation. Desbordamiento de entero en OpenSSL anteriores a v0.9.8x, v1.0.0 anteriores a v1.0.0j, y v1.0.1 anteriores a v1.0.1c, cuando TLS v1.1, TLS v1.2, o DTLS ... • http://cvs.openssl.org/chngview?cn=22538 • CWE-189: Numeric Errors CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 12%CPEs: 91EXPL: 3CVE-2012-2110 – OpenSSL - ASN1 BIO Memory Corruption
https://notcve.org/view.php?id=CVE-2012-2110
19 Apr 2012 — The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. La función asn1_d2i_read_bio en OpenSSL antes de v0.9.8v, en v1.0.0 antes de v1.0.0i y en v1.0.1 an... • https://www.exploit-db.com/exploits/18756 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 11%CPEs: 86EXPL: 0CVE-2012-1165 – openssl: mime_param_cmp NULL dereference crash
https://notcve.org/view.php?id=CVE-2012-1165
15 Mar 2012 — The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. La función mime_param_cmp en crypto/asn1/asn_mime.c en OpenSSL anteriores v0.9.8u y v1.x v1.0.0h permite atacantes remotos provocar una denegación de servicio (desreferenciación de punterio NULL y caída de aplicación) a través de men... • http://cvs.openssl.org/chngview?cn=22252 • CWE-399: Resource Management Errors CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 66EXPL: 0CVE-2012-0884 – openssl: CMS and PKCS#7 Bleichenbacher attack
https://notcve.org/view.php?id=CVE-2012-0884
13 Mar 2012 — The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. La implementación de Cryptographic Message Syntax (CMS) y PKCS #7 de OpenSSL anteriores a 0.9.8u y 1.x anteriores a 1.0.0h no restringe apropiadamente un determinado uso de información posterior ("oracle ... • http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html • CWE-310: Cryptographic Issues •
CVSS: 6.5EPSS: 14%CPEs: 73EXPL: 0CVE-2006-7250 – openssl: mime_hdr_cmp NULL dereference crash
https://notcve.org/view.php?id=CVE-2006-7250
29 Feb 2012 — The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message. La función mime_hdr_cmp en crypto/asn1/asn_mime.c en OpenSSL v0.9.8t y anteriores permite a atacantes remotos causar una denegación de servicio (desreferencia a puntero nulo y caída de la aplicación) a través de un mensaje S/MIME modificado para tal fin. Multiple vulnerabilities have been found in... • http://cvs.openssl.org/chngview?cn=22144 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 59EXPL: 0CVE-2011-4354
https://notcve.org/view.php?id=CVE-2011-4354
27 Jan 2012 — crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular reduction algorithm in its implementation of the P-256 and P-384 NIST elliptic curves, which allows remote attackers to obtain the private key of a TLS server via multiple handshake attempts. crypto/bn/bn_nist.c en OpenSSL anterior a v0.9.8h en plataformas de 32 bits, como se utiliza en stunnel y otros productos, en... • http://crypto.di.uminho.pt/CACE/CT-RSA2012-openssl-src.zip • CWE-310: Cryptographic Issues •