CVSS: 7.4EPSS: 97%CPEs: 28EXPL: 3CVE-2014-0224 – openssl: SSL/TLS MITM vulnerability
https://notcve.org/view.php?id=CVE-2014-0224
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no restringe debidamente el procesamiento de mensajes ChangeCipherSpec, lo que permite a atacantes man-in-the-middle provocar el uso de una clave maestra de longitud cero en ciertas comunicaciones OpenSSL-a-OpenSSL, y como consecuencia secuestrar sesiones u obtener información sensible, a través de una negociación TLS manipulada, también conocido como la vulnerabilidad de 'inyección CCS'. It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. • https://github.com/secretnonempty/CVE-2014-0224 https://github.com/iph0n3/CVE-2014-0224 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc http://ccsinjection.lepidum.co.jp http://dev.mysql.com/doc/relnotes/workbench/en/wb-news-6-1-7.html http://esupport.trendmicro.com/solution/en-US/1103813.aspx http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10629 http://kb.juniper.net/InfoCenter/index?page=content&id=KB29195 http://kb.juniper.net/InfoCenter/ • CWE-326: Inadequate Encryption Strength CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 7.5EPSS: 1%CPEs: 145EXPL: 0CVE-2013-6668 – v8: multiple vulnerabilities fixed in Google Chrome version 33.0.1750.146
https://notcve.org/view.php?id=CVE-2013-6668
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. Múltiples vulnerabilidades no especificadas en Google V8 anterior a 3.24.35.10, utilizado en Google Chrome anterior a 33.0.1750.146, permiten a atacantes causar una denegación de servicio o posiblemente tener otro impacto a través de vectores desconocidos. • http://advisories.mageia.org/MGASA-2014-0516.html http://googlechromereleases.blogspot.com/2014/03/stable-channel-update.html http://secunia.com/advisories/61184 http://www-01.ibm.com/support/docview.wss?uid=swg21683389 http://www.debian.org/security/2014/dsa-2883 http://www.mandriva.com/security/advisories?name=MDVSA-2015:142 http://www.securityfocus.com/bid/65930 https://code.google.com/p/chromium/issues/detail?id=343964 https://code.google.com/p/chromium/issues/detail?id=3441 •