CVE Daily
← All tags

Tag: OpenSSL

All CVEs associated with "OpenSSL". Page 5/5 • 553 CVEs.

Subscribe CVEs: RSS for “OpenSSL”  ·  RSS (High+Critical only)

About “OpenSSL”

A curated feed of “OpenSSL”-related CVEs appears below. We currently track 553 CVEs for this tag (all time). In the last 365 days, 92 were published. Average CVSS is 6.6 (all time; 7.0 over 365d), and 49% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-476 - NULL Pointer Dereference, CWE-427 - Uncontrolled Search Path Element, CWE-787 - Out-of-bounds Write.

In our taxonomy this topic maps to a MODERATE impact class. Crypto or TLS libraries have ecosystem wide impact. Upgrade, restart dependents, disable legacy protocols, and consider key rotation. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2009-05-19
Medium

CVE-2009-1377

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future e…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2009-1252

Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execu…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2009-05-14
Medium

CVE-2009-1632

Multiple memory leaks in Ipsec-tools before 0.7.2 allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) signature verification during user authentication…

CVSS: 5.0 CWE: CWE-399 View on NVD
2009-05-13
Medium

CVE-2009-0161

The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 misinterprets an unspecified invalid response as a successful OCSP certificate validation, which might allow remote attackers to…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2009-03-27
Medium

CVE-2009-0789

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remote attackers to cause a denial of service (invalid memory access and…

CVSS: 5.0 CWE: CWE-189 View on NVD
Low

CVE-2009-0591

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate…

CVSS: 2.6 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0590

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2009-02-20
High

CVE-2009-0653

OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-mid…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0642

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 c…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2009-01-26
High

CVE-2009-0265

Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the…

CVSS: 7.5 CWE: CWE-252 - Unchecked Return Value View on NVD
2009-01-15
High

CVE-2009-0130

lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate ch…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0129

libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0128

plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Resource Management (aka SLURM or slurm-llnl) does not properly check the return value from the OpenSSL EVP_VerifyFinal function, w…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0127

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypas…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0126

The decrypt_public function in lib/crypt.cpp in the client in Berkeley Open Infrastructure for Network Computing (BOINC) 6.2.14 and 6.4.5 does not check the return value from the OpenSSL RSA_public_d…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0125

NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the O…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0124

The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allow…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2009-01-07
Medium

CVE-2009-0051

ZXID 0.29 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TL…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0050

Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2009-0049

Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certifi…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0048

OpenEvidence 1.0.6 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a ma…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0047

Gale 0.99 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed S…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0046

Sun GridEngine 5.3 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a ma…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0025

BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0021

NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certi…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2008-5077

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2008-12-10
High

CVE-2008-5410

The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a deni…

CVSS: 7.8 CWE: CWE-310 View on NVD
2008-07-10
Medium

CVE-2008-1678

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multipl…

CVSS: 5.0 CWE: CWE-399 View on NVD
2008-05-29
Medium

CVE-2008-0891

Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello pack…

CVSS: 4.3 CWE: CWE-189 View on NVD
Medium

CVE-2008-1672

OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which trigge…

CVSS: 4.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2008-05-13
High

CVE-2008-0166

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to cond…

CVSS: 7.5 CWE: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) View on NVD
2007-12-01
Medium

CVE-2007-5502

The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes…

CVSS: 6.4 CWE: CWE-310 View on NVD
2007-10-18
Medium

CVE-2007-5536

Unspecified vulnerability in OpenSSL before A.00.09.07l on HP-UX B.11.11, B.11.23, and B.11.31 allows local users to cause a denial of service via unspecified vectors.

CVSS: 4.9 CWE: N/A View on NVD
2007-10-13
Critical

CVE-2007-4995

Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.

CVSS: 9.3 CWE: CWE-189 View on NVD
2007-09-27
Medium

CVE-2007-5135

Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that trigger…

CVSS: 6.8 CWE: CWE-189 View on NVD
2007-09-18
Low

CVE-2007-4931

HP System Management Homepage (SMH) for Windows, when used in conjunction with HP Version Control Agent or Version Control Repository Manager, leaves old OpenSSL software active after an OpenSSL upda…

CVSS: 2.1 CWE: N/A View on NVD
2007-09-04
High

CVE-2007-4662

Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4 has unknown impact and attack vectors.

CVSS: 7.5 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2007-08-08
Low

CVE-2007-3108

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attac…

CVSS: 1.2 CWE: N/A View on NVD
2006-09-28
High

CVE-2006-2937

OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improper…

CVSS: 7.8 CWE: CWE-399 View on NVD
High

CVE-2006-2940

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) "public exponent" or (2…

CVSS: 7.8 CWE: CWE-399 View on NVD
Critical

CVE-2006-3738

Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list…

CVSS: 10.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2006-4343

The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via…

CVSS: 4.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2006-09-05
Medium

CVE-2006-4339

OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PK…

CVSS: 4.3 CWE: CWE-310 View on NVD
2006-07-07
Medium

CVE-2006-3419

Tor before 0.1.1.20 uses OpenSSL pseudo-random bytes (RAND_pseudo_bytes) instead of cryptographically strong RAND_bytes, and seeds the entropy value at start-up with 160-bit chunks without reseeding,…

CVSS: 5.0 CWE: N/A View on NVD
2006-04-03
High

CVE-2006-1599

Unspecified vulnerability in VCEngine.php in v-creator before 1.3-pre3, when the VC_CRYPTO_METHOD option is OPENSSL, allows remote attackers to execute arbitrary commands, possibly due to problems in…

CVSS: 7.5 CWE: N/A View on NVD
2005-12-31
Critical

CVE-2005-1730

Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonst…

CVSS: 9.3 CWE: N/A View on NVD
2005-10-18
Medium

CVE-2005-2969

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preven…

CVSS: 5.0 CWE: N/A View on NVD
2005-09-20
Low

CVE-2005-2995

bacula 1.36.3 and earlier allows local users to modify or read sensitive files via symlink attacks on (1) the temporary file used by autoconf/randpass when openssl is not available, or (2) the mtx.[P…

CVSS: 3.6 CWE: N/A View on NVD
2005-09-16
High

CVE-2005-2946

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong algorithm, which makes it easier for remote attackers to forge certi…

CVSS: 7.5 CWE: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm View on NVD
2005-08-24
Medium

CVE-2005-2531

OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and cause…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2005-2532

OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue when a packet can not be decrypted by the server, which allows remote authenticated attackers to cause a denial of service (client…

CVSS: 5.0 CWE: N/A View on NVD
2005-02-09
Low

CVE-2004-0975

The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.

CVSS: 2.1 CWE: N/A View on NVD
2004-12-31
Medium

CVE-2004-2662

Soft3304 04WebServer before 1.41 allows remote attackers to cause a denial of service (resource consumption or crash) via certain data related to OpenSSL, which causes a thread to terminate but conti…

CVSS: 5.0 CWE: N/A View on NVD
2004-12-06
Critical

CVE-2004-0607

The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.

CVSS: 10.0 CWE: N/A View on NVD
2004-11-23
High

CVE-2004-0079

The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
Medium

CVE-2004-0081

OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2004-0112

The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote at…

CVSS: 5.0 CWE: CWE-125 - Out-of-bounds Read View on NVD
2004-01-15
Medium

CVE-2005-1247

webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to cause a denial of service via malformed ASN.1 packets in corrupt client certificates to an SSL server, as demonstrated using an exp…

CVSS: 5.0 CWE: N/A View on NVD
2003-12-01
Medium

CVE-2003-0851

OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.

CVSS: 5.0 CWE: N/A View on NVD
2003-11-17
Medium

CVE-2002-1568

OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attackers to cause a denial of service (crash) via certain messages that c…

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2003-0543

Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values.

CVSS: 5.0 CWE: N/A View on NVD
Medium

CVE-2003-0544

OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that…

CVSS: 5.0 CWE: N/A View on NVD
Critical

CVE-2003-0545

Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1…

CVSS: 9.8 CWE: CWE-415 - Double Free View on NVD
2003-03-31
Medium

CVE-2003-0147

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra red…

CVSS: 5.0 CWE: N/A View on NVD
2003-03-24
High

CVE-2003-0131

The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses…

CVSS: 7.5 CWE: N/A View on NVD
2003-03-03
Medium

CVE-2003-0078

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing…

CVSS: 5.0 CWE: CWE-203 - Observable Discrepancy View on NVD
2002-08-12
High

CVE-2002-0655

OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit platforms, which could allow attackers to cause a denial of service and p…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2002-0656

Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via (1) a large client master key in SSL2 or (2) a large session ID in SS…

CVSS: 7.5 CWE: N/A View on NVD
High

CVE-2002-0657

Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2002-0659

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service via invalid encodings.

CVSS: 5.0 CWE: N/A View on NVD
2001-07-10
Medium

CVE-2001-1141

The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG requests to determine the internal state information, which could be use…

CVSS: 5.0 CWE: N/A View on NVD
2000-06-12
Medium

CVE-2000-0535

OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which are absent on FreeBSD Alpha systems, which causes them to produce weak…

CVSS: 5.0 CWE: N/A View on NVD
1999-03-22
High

CVE-1999-0428

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.

CVSS: 7.5 CWE: CWE-384 - Session Fixation View on NVD