Openssl Security Vulnerabilities and Issues — Openssl CVE List

Lucene search

OpensslOpenssl

7 matches found

CVE•added 2017/05/04 7:29 p.m.•230 views

CVE-2017-3731

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users ...

7.5CVSS7.7AI score0.0762EPSS

CVE•added 2017/05/04 8:29 p.m.•189 views

CVE-2016-7055

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is beca...

5.9CVSS6.8AI score0.09515EPSS

CVE•added 2017/05/04 7:29 p.m.•154 views

CVE-2017-3732

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed l...

5.9CVSS6.9AI score0.23408EPSS

CVE•added 2017/05/04 7:29 p.m.•97 views

CVE-2017-3730

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

7.5CVSS7.3AI score0.42314EPSS

CVE•added 2017/05/04 7:29 p.m.•86 views

CVE-2016-7054

In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.

7.5CVSS6.2AI score0.16505EPSS

CVE•added 2017/05/04 7:29 p.m.•70 views

CVE-2017-3733

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.

7.5CVSS7.3AI score0.05783EPSS

CVE•added 2017/05/04 7:29 p.m.•61 views

CVE-2016-7053

In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to f...

7.5CVSS6.4AI score0.01059EPSS