CVSS: 5.9EPSS: 1%CPEs: 64EXPL: 0CVE-2011-4108 – openssl: DTLS plaintext recovery attack
https://notcve.org/view.php?id=CVE-2011-4108
06 Jan 2012 — The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack. La implementación DTLS en OpenSSL antes de v0.9.8s y v1.x antes de v1.0.0f realiza una comprobación de MAC sólo si determinado relleno es válida, lo que facilita a los atacantes remotos a la hora de recuperar texto a través de un ataque de relleno. • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 10%CPEs: 64EXPL: 0CVE-2011-4577 – openssl: malformed RFC 3779 data can cause assertion failures
https://notcve.org/view.php?id=CVE-2011-4577
06 Jan 2012 — OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers. OpenSSL antes de v0.9.8s y v1.x antes de v1.0.0f, cuando el soporte al RFC 3779 está habilitado, permite a atacantes remotos provocar una denegación de servicio (error de aserción) a través de un certificado X.509 qu... • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 3%CPEs: 19EXPL: 0CVE-2011-4109 – openssl: double-free in policy checks
https://notcve.org/view.php?id=CVE-2011-4109
06 Jan 2012 — Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. Una vulnerabilidad de doble liberación en OpenSSL v0.9.8 antes de v0.9.8s, cuando la opción X509_V_FLAG_POLICY_CHECK está activada, permite a atacantes remotos tener un impacto no especificado al provocar el fallo de un control de la política. • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 7%CPEs: 67EXPL: 0CVE-2012-0027
https://notcve.org/view.php?id=CVE-2012-0027
06 Jan 2012 — The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted data from a TLS client. El motor GOST en OpenSSL antes de v1.0.0f no controla correctamente los parámetros válidos para el cifrado de bloques GOST, lo que permite a atacantes remotos provocar una denegación de servicio (caída del demonio) a través de datos de un cliente TLS específicamente modificados. • http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 20%CPEs: 64EXPL: 0CVE-2011-4619 – openssl: SGC restart DoS attack
https://notcve.org/view.php?id=CVE-2011-4619
06 Jan 2012 — The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors. La implementación del servidor de criptografía SGC en OpenSSL antes de v0.9.8s y en v1.x antes de v1.0.0f no controla correctamente los reinicios de 'handshake' (apretón de manos), lo que permite a atacantes remotos provocar una denegación de servicio a través de vec... • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc • CWE-399: Resource Management Errors •
CVSS: 7.5EPSS: 1%CPEs: 64EXPL: 0CVE-2011-4576 – openssl: uninitialized SSL 3.0 padding
https://notcve.org/view.php?id=CVE-2011-4576
06 Jan 2012 — The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. La implementación SSL v3.0 en OpenSSL antes de v0.9.8s y v1.x antes de v1.0.0f no inicializa correctamente las estructuras de datos para el relleno de bloques de cifrado, lo que podría permitir a atacantes remotos obtener información sensible desci... • http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 26%CPEs: 30EXPL: 0CVE-2011-3210
https://notcve.org/view.php?id=CVE-2011-3210
22 Sep 2011 — The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol. La efímera funcionalidad de cifrado ECDH en OpenSSL versiones v0.9.8 a v0.9.8s y v1.0.x antes de v1.0.0e no garantiza la seguridad de los subprocesos durante el procesamiento de los mensajes de 'h... • http://cvs.openssl.org/chngview?cn=21337 • CWE-399: Resource Management Errors •
CVSS: 5.9EPSS: 0%CPEs: 78EXPL: 1CVE-2011-1945 – Gentoo Linux Security Advisory 201312-03
https://notcve.org/view.php?id=CVE-2011-1945
31 May 2011 — The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation. El subsistema de criptografía de curva elíptica (ECC) de OpenSSL v1.0.0d y versiones anteriores, cuando el algoritmo de firma digital de la curva elí... • http://eprint.iacr.org/2011/232.pdf • CWE-310: Cryptographic Issues •
CVSS: 9.1EPSS: 9%CPEs: 19EXPL: 0CVE-2011-0014 – openssl: OCSP stapling vulnerability
https://notcve.org/view.php?id=CVE-2011-0014
18 Feb 2011 — ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability." ssl/t1_lib.c en OpenSSL v0.9.8h hasta v0.9.8q y v1.0.0 hasta v1.0.0c permite a atacantes remotos causar una denegación de servicio (por caída de la aplicación) y posiblemente o... • http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-002.txt.asc • CWE-399: Resource Management Errors •
CVSS: 9.1EPSS: 0%CPEs: 61EXPL: 0CVE-2008-7270 – openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack
https://notcve.org/view.php?id=CVE-2008-7270
06 Dec 2010 — OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180. OpenSSL en versiones anteriores a la 0.9.8j, si SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG está activado, no previene la modificación de sus datos en la caché de sesión,... • http://cvs.openssl.org/chngview?cn=17489 • CWE-310: Cryptographic Issues •