National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:openssl:openssl:0.9.8n
There are 72 matching records.
Displaying matches 61 through 72.
Vuln ID Summary CVSS Severity
CVE-2010-4252

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

Published: December 06, 2010; 04:05:49 PM -05:00
    V2: 7.5 HIGH
CVE-2010-4180

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Published: December 06, 2010; 04:05:48 PM -05:00
    V2: 4.3 MEDIUM
CVE-2010-3864

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.

Published: November 17, 2010; 11:00:01 AM -05:00
    V2: 7.6 HIGH
CVE-2010-0742

The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.

Published: June 03, 2010; 10:30:01 AM -04:00
    V2: 7.5 HIGH
CVE-2009-3767

libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published: October 23, 2009; 03:30:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2009-3766

mutt_ssl.c in mutt 1.5.16 and other versions before 1.5.19, when OpenSSL is used, does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: October 23, 2009; 03:30:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2009-3765

mutt_ssl.c in mutt 1.5.19 and 1.5.20, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published: October 23, 2009; 03:30:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2009-1390

Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire chain, which allows remote attackers to spoof trusted servers via a man-in-the-middle attack.

Published: June 16, 2009; 05:00:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2009-1387

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."

Published: June 04, 2009; 12:30:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2009-0590

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Published: March 27, 2009; 12:30:00 PM -04:00
    V2: 5.0 MEDIUM
CVE-2007-5536

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

Published: October 17, 2007; 08:17:00 PM -04:00
    V2: 4.9 MEDIUM
CVE-1999-0428

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

Published: March 22, 1999; 12:00:00 AM -05:00
    V2: 7.5 HIGH