CVSS: 7.5EPSS: 8%CPEs: 14EXPL: 0CVE-2010-0433 – openssl: crash caused by a missing krb5_sname_to_principal() return value check
https://notcve.org/view.php?id=CVE-2010-0433
05 Mar 2010 — The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. La funcion kssl_keytab_is_available en ssl/kssl.c en OpenSSL before v... • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 18%CPEs: 71EXPL: 0CVE-2009-4355 – openssl significant memory leak in certain SSLv3 requests (DoS)
https://notcve.org/view.php?id=CVE-2009-4355
14 Jan 2010 — Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. Fuga de memoria en la función zlib_stateful_finish en crypto/comp/c_zlib.c en OpenSSL v0.9.8l y anteriores, y v1.0.0 ... • http://cvs.openssl.org/chngview?cn=19068 • CWE-399: Resource Management Errors CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.8EPSS: 3%CPEs: 21EXPL: 6CVE-2009-3555 – Mozilla NSS - NULL Character CA SSL Certificate Validation Security Bypass
https://notcve.org/view.php?id=CVE-2009-3555
09 Nov 2009 — The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other... • https://www.exploit-db.com/exploits/10071 • CWE-295: Improper Certificate Validation CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.5EPSS: 38%CPEs: 3EXPL: 0CVE-2009-0590 – openssl: ASN1 printing crash
https://notcve.org/view.php?id=CVE-2009-0590
27 Mar 2009 — The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. La función ASN1_STRING_print_ex en OpenSSL versiones anteriores a v0.9.8k permite a atacantes remotos provocar una denegación de servicio (acceso inválido a memoria y caída de la aplicación) mediante vectores que provocan la impresión de (1) BMPS... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 10%CPEs: 62EXPL: 0CVE-2009-0789
https://notcve.org/view.php?id=CVE-2009-0789
27 Mar 2009 — OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and application crash) by placing this structure in the public key of a certificate, as demonstrated by an RSA public key. OpenSSL anterior a v0.9.8k en plataformas WIN64 y otras plataformas no maneja adecuadamente una estructura ASN.1 malformada, permitiendo a atacantes remotos provocar una denegación de servicio (... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc • CWE-189: Numeric Errors •
CVSS: 6.1EPSS: 9%CPEs: 59EXPL: 0CVE-2008-5077 – OpenSSL Incorrect checks for malformed signatures
https://notcve.org/view.php?id=CVE-2008-5077
07 Jan 2009 — OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. OpenSSL 0.9.8i y versiones anteriores no comprueba correctamente el valor de retorno de la función EVP_VerifyFinal, lo que permite a atacantes remotos evitar la validación de la cadena del certificado a través de una firma SSL/TLS mal formada para las claves DSA y ECDSA. • http://lists.apple.com/archives/security-announce/2009/May/msg00002.html • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2007-5536
https://notcve.org/view.php?id=CVE-2007-5536
18 Oct 2007 — Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors. Vulnerabilidad sin especificar en el OpenSSL anterior al A.00.09.07l en el HP-UX B.11.11, B.11.23 y B.11.31 permite a usuarios locales provocar una denegación de servicio a través de vectores sin especificar. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01203958 •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3108 – openssl: RSA side-channel attack
https://notcve.org/view.php?id=CVE-2007-3108
08 Aug 2007 — The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. La función BN_from_montgomery en el crypto/bn/bn_mont.c del OpenSSL 0.9.8e y anteriores, no interpreta adecuadamente la multiplicación Montgomery, lo que permite a usuarios locales llevar a cabo ataques por canal colateral (side-channel) y recuperar claves privadas RSA. Multiple ... • http://cvs.openssl.org/chngview?cn=16275 •
CVSS: 7.8EPSS: 27%CPEs: 47EXPL: 0CVE-2006-2940 – openssl public key DoS
https://notcve.org/view.php?id=CVE-2006-2940
28 Sep 2006 — OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2) "public modulus" values in X.509 certificates that require extra time to process when using RSA signature verification. OpenSSL 0.9.7 en versiones anteriores a 0.9.7l, 0.9.8 en versiones anteriores a 0.9.8d y versiones anteriores permite a atacantes provocar una denegación de servicio (consumo de CPU) a través... • ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 27%CPEs: 45EXPL: 0CVE-2006-4339 – openssl signature forgery
https://notcve.org/view.php?id=CVE-2006-4339
05 Sep 2006 — OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. OpenSSL en versiones anteriores a 0.9.7, 0.9.7 en versiones anteriores a 0.9.7k y 0.9.8 en versiones anteriores a 0.9.8c, cuando usa una clave RSA con exponente 3, elim... • ftp://patches.sgi.com/support/free/security/advisories/20060901-01-P.asc • CWE-310: Cryptographic Issues •