CVE-2019-1552
Detail
Modified
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Metrics
CVSS Version 4.0
CVSS Version 3.x
CVSS Version 2.0
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
CVSS 4.0 Severity and Vector Strings:
NVD assessment
not yet provided.
CVSS 3.x Severity and Vector Strings:
Vector:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0 Severity and Vector Strings:
Vector:
(AV:L/AC:M/Au:N/C:N/I:P/A:N)
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected] .
URL
Source(s)
Tag(s)
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
CVE, OpenSSL Software Foundation
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e
CVE, OpenSSL Software Foundation
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28
CVE, OpenSSL Software Foundation
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
CVE, OpenSSL Software Foundation
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9
CVE, OpenSSL Software Foundation
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
CVE, OpenSSL Software Foundation
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
CVE, OpenSSL Software Foundation
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
CVE, OpenSSL Software Foundation
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
CVE, OpenSSL Software Foundation
https://security.netapp.com/advisory/ntap-20190823-0006/
CVE, OpenSSL Software Foundation
https://support.f5.com/csp/article/K94041354
CVE, OpenSSL Software Foundation
https://support.f5.com/csp/article/K94041354?utm_source=f5support&%3Butm_medium=RSS
CVE, OpenSSL Software Foundation
https://www.kb.cert.org/vuls/id/429301
CVE, OpenSSL Software Foundation
https://www.openssl.org/news/secadv/20190730.txt
CVE, OpenSSL Software Foundation
Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
CVE, OpenSSL Software Foundation
https://www.oracle.com/security-alerts/cpujan2020.html
CVE, OpenSSL Software Foundation
https://www.oracle.com/security-alerts/cpujul2020.html
CVE, OpenSSL Software Foundation
https://www.oracle.com/security-alerts/cpuoct2020.html
CVE, OpenSSL Software Foundation
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
CVE, OpenSSL Software Foundation
https://www.tenable.com/security/tns-2019-08
CVE, OpenSSL Software Foundation
https://www.tenable.com/security/tns-2019-09
CVE, OpenSSL Software Foundation
Weakness Enumeration
CWE-ID
CWE Name
Source
CWE-295
Improper Certificate Validation
NIST
Change History
20 change records found show changes
CVE Modified by CVE 11/20/2024 11:36:48 PM
Action
Type
Old Value
New Value
Added
Reference
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
Added
Reference
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e
Added
Reference
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28
Added
Reference
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
Added
Reference
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9
Added
Reference
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
Added
Reference
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
Added
Reference
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
Added
Reference
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
Added
Reference
https://security.netapp.com/advisory/ntap-20190823-0006/
Added
Reference
https://support.f5.com/csp/article/K94041354
Added
Reference
https://support.f5.com/csp/article/K94041354?utm_source=f5support&%3Butm_medium=RSS
Added
Reference
https://www.kb.cert.org/vuls/id/429301
Added
Reference
https://www.openssl.org/news/secadv/20190730.txt
Added
Reference
https://www.oracle.com/security-alerts/cpuapr2020.html
Added
Reference
https://www.oracle.com/security-alerts/cpujan2020.html
Added
Reference
https://www.oracle.com/security-alerts/cpujul2020.html
Added
Reference
https://www.oracle.com/security-alerts/cpuoct2020.html
Added
Reference
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Added
Reference
https://www.tenable.com/security/tns-2019-08
Added
Reference
https://www.tenable.com/security/tns-2019-09
CVE Modified by OpenSSL Software Foundation 5/14/2024 1:53:03 AM
Action
Type
Old Value
New Value
CVE Modified by OpenSSL Software Foundation 11/06/2023 10:08:29 PM
Action
Type
Old Value
New Value
Added
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e [No types assigned]
Added
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28 [No types assigned]
Added
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd [No types assigned]
Added
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9 [No types assigned]
Added
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/ [No types assigned]
Added
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/ [No types assigned]
Added
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/ [No types assigned]
Added
Reference
OpenSSL Software Foundation https://support.f5.com/csp/article/K94041354?utm_source=f5support&%3Butm_medium=RSS [No types assigned]
Removed
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e
Removed
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28
Removed
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
Removed
Reference
OpenSSL Software Foundation https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9
Removed
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/[email protected] /message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
Removed
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/[email protected] /message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
Removed
Reference
OpenSSL Software Foundation https://lists.fedoraproject.org/archives/list/[email protected] /message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
Removed
Reference
OpenSSL Software Foundation https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS
CVE Modified by OpenSSL Software Foundation 12/13/2022 7:15:26 AM
Action
Type
Old Value
New Value
Added
Reference
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 7/31/2021 4:15:09 AM
Action
Type
Old Value
New Value
Added
Reference
https://kc.mcafee.com/corporate/index?page=content&id=SB10365 [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 12/23/2020 5:15:13 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.kb.cert.org/vuls/id/429301 [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 10/20/2020 6:15:34 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.oracle.com/security-alerts/cpuoct2020.html [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 7/14/2020 11:15:46 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.oracle.com/security-alerts/cpujul2020.html [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 4/15/2020 5:15:33 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.oracle.com/security-alerts/cpuapr2020.html [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 1/15/2020 3:15:23 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.oracle.com/security-alerts/cpujan2020.html [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 12/30/2019 8:15:17 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.tenable.com/security/tns-2019-09 [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 12/19/2019 6:15:16 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.tenable.com/security/tns-2019-08 [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 10/16/2019 2:15:25 PM
Action
Type
Old Value
New Value
Added
Reference
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 10/09/2019 4:15:24 PM
Action
Type
Old Value
New Value
Added
Reference
https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 10/07/2019 5:15:13 PM
Action
Type
Old Value
New Value
Added
Reference
https://support.f5.com/csp/article/K94041354 [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 9/26/2019 12:15:15 AM
Action
Type
Old Value
New Value
Added
Reference
https://lists.fedoraproject.org/archives/list/[email protected] /message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/ [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 9/24/2019 11:15:11 PM
Action
Type
Old Value
New Value
Added
Reference
https://lists.fedoraproject.org/archives/list/[email protected] /message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/ [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 9/20/2019 10:15:11 PM
Action
Type
Old Value
New Value
Added
Reference
https://lists.fedoraproject.org/archives/list/[email protected] /message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/ [No Types Assigned]
CVE Modified by OpenSSL Software Foundation 8/23/2019 5:15:12 PM
Action
Type
Old Value
New Value
Added
Reference
https://security.netapp.com/advisory/ntap-20190823-0006/ [No Types Assigned]
Initial Analysis by NIST 8/11/2019 8:46:24 PM
Action
Type
Old Value
New Value
Added
CVSS V3
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Added
CVSS V2
(AV:L/AC:M/Au:N/C:N/I:P/A:N)
Added
CWE
CWE-295
Added
CPE Configuration
OR
*cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.0.2 up to (including) 1.0.2s
*cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.0 up to (including) 1.1.0k
*cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from (including) 1.1.1 up to (including) 1.1.1c
Changed
Reference Type
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e No Types Assigned
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e Mailing List, Patch, Vendor Advisory
Changed
Reference Type
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28 No Types Assigned
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28 Mailing List, Vendor Advisory
Changed
Reference Type
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd No Types Assigned
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd Mailing List, Patch, Vendor Advisory
Changed
Reference Type
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9 No Types Assigned
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9 Mailing List, Patch, Vendor Advisory
Changed
Reference Type
https://www.openssl.org/news/secadv/20190730.txt No Types Assigned
https://www.openssl.org/news/secadv/20190730.txt Vendor Advisory
Quick Info
CVE Dictionary Entry: CVE-2019-1552 NVD
Published Date: 07/30/2019 NVD
Last Modified: 11/20/2024
Source: OpenSSL Software Foundation