CVSS: 5.0EPSS: 94%CPEs: 147EXPL: 6CVE-2014-3566 – SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
https://notcve.org/view.php?id=CVE-2014-3566
15 Oct 2014 — The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. El protocolo SSL 3.0, utilizado en OpenSSL hasta 1.0.1i y otros productos, utiliza relleno (padding) CBC no determinístico, lo que facilita a los atacantes man-in-the-middle obtener datos de texto plano a través de un ataque de relleno (padding) oracle, también conocid... • https://github.com/mikesplain/CVE-2014-3566-poodle-cookbook • CWE-310: Cryptographic Issues CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 7.5EPSS: 30%CPEs: 13EXPL: 0CVE-2014-3513 – openssl: SRTP memory leak causes crash when using specially-crafted handshake message
https://notcve.org/view.php?id=CVE-2014-3513
15 Oct 2014 — Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message. Fuga de memoria en d1_srtp.c en la extensión DTLS SRTP en OpenSSL 1.0.1 anterior a 1.0.1j permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un mensaje de negociación manipulado. A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-20: Improper Input Validation CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 24%CPEs: 34EXPL: 0CVE-2014-3567 – openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash
https://notcve.org/view.php?id=CVE-2014-3567
15 Oct 2014 — Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure. Fuga de memoria en la función tls_decrypt_ticket en t1_lib.c en OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través d... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-20: Improper Input Validation CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 4%CPEs: 34EXPL: 0CVE-2014-3568 – HP Security Bulletin HPSBOV03227
https://notcve.org/view.php?id=CVE-2014-3568
15 Oct 2014 — OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c. OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j no fuerza correctamente la opción build no-ssl3, lo que permite a atacantes remotos evadir las restricciones de acceso a través de una negociación SSL 3.0, relacionado con s23_cln... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 21%CPEs: 12EXPL: 1CVE-2014-5139 – FreeBSD Security Advisory - OpenSSL Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-5139
06 Aug 2014 — The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client. La función ssl_set_client_disabled en t1_lib.c en OpenSSL 1.0.1 anterior a 1.0.1i permite a servidores SSL remotos causar una denegación de servicio (referencia a puntero nulo y caída de la ap... • https://github.com/uthrasri/CVE-2014-5139 •
CVSS: 5.9EPSS: 7%CPEs: 31EXPL: 0CVE-2014-3511 – openssl: TLS protocol downgrade attack
https://notcve.org/view.php?id=CVE-2014-3511
06 Aug 2014 — The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. La función ssl23_get_client_hello en s23_srvr.c en OpenSSL 1.0.1 anterior a 1.0.1i permite a atacantes man-in-the-middle forzar el uso de TLS 1.0 mediante la provocación de la fragmentación de men... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-390: Detection of Error Condition Without Action •
CVSS: 7.5EPSS: 45%CPEs: 59EXPL: 0CVE-2014-3505 – openssl: DTLS packet processing double free
https://notcve.org/view.php?id=CVE-2014-3505
06 Aug 2014 — Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition. Vulnerabilidad de doble liberación en d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de servicio (caída de apl... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 7.5EPSS: 50%CPEs: 59EXPL: 0CVE-2014-3506 – openssl: DTLS memory exhaustion
https://notcve.org/view.php?id=CVE-2014-3506
06 Aug 2014 — d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values. d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través d... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 74%CPEs: 59EXPL: 1CVE-2014-3507 – openssl: DTLS memory leak from zero-length fragments
https://notcve.org/view.php?id=CVE-2014-3507
06 Aug 2014 — Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. Fuga de memoria en d1_both.c en la implementación DTLS en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i permite a atacantes remotos causar una denegación de ... • https://github.com/Satheesh575555/openSSL_1.0.1g_CVE-2014-3507 • CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.9EPSS: 2%CPEs: 59EXPL: 0CVE-2014-3508 – openssl: information leak in pretty printing functions
https://notcve.org/view.php?id=CVE-2014-3508
06 Aug 2014 — The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions. La función OBJ_obj2txt en crypto/objects/obj_dat.c en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •