On some conditions it's possible server's private key to be applied to attacker choosen ciphertext.
vulners.com/securityvulns/securityvulns:doc:4245