CVE Daily
← All tags

Tag: TLS

All CVEs associated with "TLS". Page 12/13 • 1449 CVEs.

Subscribe CVEs: RSS for “TLS”  ·  RSS (High+Critical only)

About “TLS”

A curated feed of “TLS”-related CVEs appears below. We currently track 1449 CVEs for this tag (all time). In the last 365 days, 338 were published. Average CVSS is 6.7 (all time; 6.9 over 365d), and 48% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-295 - Improper Certificate Validation, CWE-400 - Uncontrolled Resource Consumption, CWE-20 - Improper Input Validation.

In our taxonomy this topic maps to a MODERATE impact class. Crypto or TLS libraries have ecosystem wide impact. Upgrade, restart dependents, disable legacy protocols, and consider key rotation. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2013-10-26
Medium

CVE-2013-5914

Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet.

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-10-24
Low

CVE-2013-5183

Mail in Apple Mac OS X before 10.9, when Kerberos authentication is enabled and TLS is disabled, sends invalid cleartext data, which allows remote attackers to obtain sensitive information by sniffin…

CVSS: 2.6 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2013-10-17
Medium

CVE-2013-6169

The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack.

CVSS: 4.3 CWE: CWE-310 View on NVD
2013-09-30
Medium

CVE-2013-4623

The x509parse_crt function in x509.h in PolarSSL 1.1.x before 1.1.7 and 1.2.x before 1.2.8 does not properly parse certificate messages during the SSL/TLS handshake, which allows remote attackers to…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2013-09-23
Medium

CVE-2013-1431

The Wocky module in Telepathy Gabble before 0.16.6 and 0.17.x before 0.17.4, when connecting to a "legacy Jabber server," does not properly enforce the WockyConnector:tls-required flag, which allows…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2013-09-08
High

CVE-2013-3458

Cisco Adaptive Security Appliances (ASA) devices, when SMP is used, do not properly process X.509 certificates, which allows remote attackers to cause a denial of service (device crash) via a large v…

CVSS: 7.1 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-03-15
Medium

CVE-2013-2566

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis…

CVSS: 5.9 CWE: CWE-326 - Inadequate Encryption Strength View on NVD
2013-03-07
Medium

CVE-2013-1154

The Cisco Small Business 200 Series Smart Switch 1.2.7.76 and earlier, Small Business 300 Series Managed Switch 1.2.7.76 and earlier, and Small Business 500 Series Stackable Managed Switch 1.2.7.76 a…

CVSS: 5.0 CWE: CWE-399 View on NVD
2013-02-27
High

CVE-2013-1135

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.0 allows remote attackers to cause a denial of service (CPU consumption and monitoring outage) via malformed TLS messag…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2013-02-08
Medium

CVE-2013-1624

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the…

CVSS: 4.0 CWE: CWE-310 View on NVD
Medium

CVE-2013-1623

The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC paddi…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2013-1621

Array index error in the SSL module in PolarSSL before 1.2.5 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC pa…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2013-1620

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC p…

CVSS: 4.3 CWE: CWE-203 - Observable Discrepancy View on NVD
Medium

CVE-2013-1619

The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the pr…

CVSS: 4.0 CWE: CWE-310 View on NVD
Medium

CVE-2013-1618

The TLS implementation in Opera before 12.13 does not properly consider timing side-channel attacks on a MAC check operation during the processing of malformed CBC padding, which allows remote attack…

CVSS: 4.0 CWE: CWE-310 View on NVD
Low

CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirem…

CVSS: 2.6 CWE: CWE-310 View on NVD
Medium

CVE-2012-2686

crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application cr…

CVSS: 5.0 CWE: CWE-310 View on NVD
2013-02-02
Medium

CVE-2013-0440

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, a…

CVSS: 5.0 CWE: N/A View on NVD
2013-01-09
Medium

CVE-2013-0013

The SSL provider component in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle enc…

CVSS: 5.8 CWE: CWE-264 View on NVD
2012-12-08
Low

CVE-2012-4838

IBM Flex System Chassis Management Module (CMM) and Integrated Management Module 2 (IMM2) allow local users to obtain sensitive information about (1) local accounts, (2) SSH private keys, (3) SSL/TLS…

CVSS: 1.9 CWE: N/A View on NVD
2012-11-14
Medium

CVE-2012-2532

Microsoft FTP Service 7.0 and 7.5 for Internet Information Services (IIS) processes unspecified commands before TLS is enabled for a session, which allows remote attackers to obtain sensitive informa…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2012-11-11
Medium

CVE-2012-3523

The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cle…

CVSS: 6.8 CWE: CWE-264 View on NVD
2012-10-10
Medium

CVE-2012-4445

Heap-based buffer overflow in the eap_server_tls_process_fragment function in eap_server_tls_common.c in the EAP authentication server in hostapd 0.6 through 1.0 allows remote attackers to cause a de…

CVSS: 4.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2012-09-18
Medium

CVE-2012-3547

Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2012-09-15
Low

CVE-2012-4930

The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypte…

CVSS: 2.6 CWE: CWE-310 View on NVD
Low

CVE-2012-4929

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which…

CVSS: 2.6 CWE: CWE-310 View on NVD
2012-08-21
Medium

CVE-2012-2190

IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1,…

CVSS: 5.0 CWE: CWE-310 View on NVD
2012-08-08
Medium

CVE-2012-2191

IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM Rational Directory Server, IBM Tivoli Directory Server, and other products, does not properly validate data during execution of a…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2012-07-10
Medium

CVE-2012-1870

The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and other p…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2012-06-17
Medium

CVE-2012-2668

libraries/libldap/tls_m.c in OpenLDAP, possibly 2.4.31 and earlier, when using the Mozilla NSS backend, always uses the default cipher suite even when TLSCipherSuite is set, which might cause OpenLDA…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2012-06-16
Medium

CVE-2011-5094

Mozilla Network Security Services (NSS) 3.x, with certain settings of the SSL_ENABLE_RENEGOTIATION option, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols,…

CVSS: 4.3 CWE: N/A View on NVD
Medium

CVE-2011-1473

OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a d…

CVSS: 5.0 CWE: CWE-264 View on NVD
2012-05-14
Medium

CVE-2012-2333

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of serv…

CVSS: 6.8 CWE: CWE-189 View on NVD
2012-04-22
Medium

CVE-2012-0726

The default configuration of TLS in IBM Tivoli Directory Server (TDS) 6.3 and earlier supports the (1) NULL-MD5 and (2) NULL-SHA ciphers, which allows remote attackers to trigger unencrypted communic…

CVSS: 6.4 CWE: CWE-310 View on NVD
2012-01-27
Medium

CVE-2011-4354

crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances involving ECDH or ECDHE cipher suites, uses an incorrect modular redu…

CVSS: 5.8 CWE: CWE-310 View on NVD
2012-01-06
Medium

CVE-2012-0027

The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remote attackers to cause a denial of service (daemon crash) via crafted d…

CVSS: 5.0 CWE: CWE-399 View on NVD
2011-12-23
Medium

CVE-2011-4894

Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort access instead of a Tor TLS connection for a directory fetch, which makes it easier for remote attackers to enumerate bridges by…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2011-2768

Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by r…

CVSS: 5.8 CWE: CWE-264 View on NVD
2011-12-08
Medium

CVE-2011-4128

Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumptio…

CVSS: 4.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2011-09-22
Medium

CVE-2011-3210

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows r…

CVSS: 5.0 CWE: CWE-399 View on NVD
2011-08-04
Medium

CVE-2011-2701

The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by us…

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2011-05-26
Medium

CVE-2011-1775

The CSecurityTLS::processMsg function in common/rfb/CSecurityTLS.cxx in the vncviewer component in TigerVNC 1.1beta1 does not properly verify the server's X.509 certificate, which allows man-in-the-m…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2011-05-23
Medium

CVE-2011-2165

The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending…

CVSS: 6.8 CWE: CWE-264 View on NVD
Medium

CVE-2011-1926

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending…

CVSS: 5.1 CWE: CWE-264 View on NVD
Medium

CVE-2011-1575

The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP session…

CVSS: 5.8 CWE: CWE-399 View on NVD
2011-03-31
Medium

CVE-2011-1175

tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer…

CVSS: 5.0 CWE: N/A View on NVD
2011-03-22
Medium

CVE-2011-1506

The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and MailServer 6.x does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted S…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2011-03-16
Medium

CVE-2011-1432

The STARTTLS implementation in SCO SCOoffice Server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cle…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2011-1431

The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to inse…

CVSS: 6.8 CWE: N/A View on NVD
Medium

CVE-2011-1430

The STARTTLS implementation in the server in Ipswitch IMail 11.03 and earlier does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-0411

The STARTTLS implementation in Postfix 2.4.x before 2.4.16, 2.5.x before 2.5.12, 2.6.x before 2.6.9, and 2.7.x before 2.7.3 does not properly restrict I/O buffering, which allows man-in-the-middle at…

CVSS: 6.8 CWE: CWE-264 View on NVD
2010-11-17
High

CVE-2010-3864

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to ex…

CVSS: 7.6 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2010-10-13
High

CVE-2010-3229

The Secure Channel (aka SChannel) security package in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7, when IIS 7.x is used, does not properly process client…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2010-08-25
Medium

CVE-2010-1800

CFNetwork in Apple Mac OS X 10.6.3 and 10.6.4 supports anonymous SSL and TLS connections, which allows man-in-the-middle attackers to redirect a connection and obtain sensitive information via crafte…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2010-08-11
Critical

CVE-2010-2566

The Secure Channel (aka SChannel) security package in Microsoft Windows XP SP2 and SP3, and Windows Server 2003 SP2, does not properly validate certificate request messages from TLS and SSL servers,…

CVSS: 9.3 CWE: CWE-20 - Improper Input Validation View on NVD
2010-08-10
Critical

CVE-2010-2977

Cisco Unified Wireless Network (UWN) Solution 7.x before 7.0.98.0 does not properly implement TLS and SSL, which has unspecified impact and remote attack vectors, aka Bug ID CSCtd01611.

CVSS: 10.0 CWE: CWE-16 View on NVD
2010-08-09
High

CVE-2010-2815

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2010-2814

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8…

CVSS: 7.8 CWE: N/A View on NVD
High

CVE-2010-1581

Unspecified vulnerability in the Transport Layer Security (TLS) implementation on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 before 7.2(5), 8.0 before 8.0(5.15), 8…

CVSS: 7.8 CWE: N/A View on NVD
2010-06-29
High

CVE-2009-4923

Unspecified vulnerability in the DTLS implementation on Cisco Adaptive Security Appliances (ASA) 5580 series devices with software before 8.1(2) allows remote attackers to cause a denial of service (…

CVSS: 7.8 CWE: N/A View on NVD
2010-03-31
Medium

CVE-2010-1194

The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attac…

CVSS: 6.8 CWE: CWE-310 View on NVD
2010-03-30
High

CVE-2010-0524

The default configuration of the FreeRADIUS server in Apple Mac OS X Server before 10.6.3 permits EAP-TLS authenticated connections on the basis of an arbitrary client certificate, which allows remot…

CVSS: 7.5 CWE: CWE-264 View on NVD
2010-03-26
Medium

CVE-2010-0740

The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a N…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2010-02-26
Low

CVE-2009-4652

The (1) Conn_GetCipherInfo and (2) Conn_UsesSSL functions in src/ngircd/conn.c in ngIRCd 13 and 14, when SSL/TLS support is present and standalone mode is disabled, allow remote attackers to cause a…

CVSS: 2.6 CWE: N/A View on NVD
2009-11-13
Medium

CVE-2009-3936

Unspecified vulnerability in Citrix Online Plug-in for Windows 11.0.x before 11.0.150 and 11.x before 11.2, Online Plug-in for Mac before 11.0, Receiver for iPhone before 1.0.3, and ICA Java, Mac, UN…

CVSS: 5.8 CWE: CWE-310 View on NVD
2009-11-09
Critical

CVE-2009-3555

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9…

CVSS: 9.8 CWE: CWE-295 - Improper Certificate Validation View on NVD
2009-10-28
Medium

CVE-2009-3639

The mod_tls module in ProFTPD before 1.3.2b, and 1.3.3 before 1.3.3rc2, when the dNSNameRequired TLS option is enabled, does not properly handle a '\0' character in a domain name in the Subject Alter…

CVSS: 5.8 CWE: CWE-310 View on NVD
2009-10-23
Medium

CVE-2009-3767

libraries/libldap/tls_o.c in OpenLDAP 2.2 and 2.4, and possibly other versions, when OpenSSL is used, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) fiel…

CVSS: 4.3 CWE: CWE-295 - Improper Certificate Validation View on NVD
2009-09-18
Medium

CVE-2009-3243

Unspecified vulnerability in the TLS dissector in Wireshark 1.2.0 and 1.2.1, when running on Windows, allows remote attackers to cause a denial of service (application crash) via unknown vectors rela…

CVSS: 5.0 CWE: N/A View on NVD
2009-08-31
Medium

CVE-2009-3026

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP…

CVSS: 5.0 CWE: CWE-310 View on NVD
2009-06-16
Medium

CVE-2009-1390

Mutt 1.5.19, when linked against (1) OpenSSL (mutt_ssl.c) or (2) GnuTLS (mutt_ssl_gnutls.c), allows connections when only one TLS certificate in the chain is accepted instead of verifying the entire…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2009-03-27
High

CVE-2009-0630

The (1) Cisco Unified Communications Manager Express; (2) SIP Gateway Signaling Support Over Transport Layer Security (TLS) Transport; (3) Secure Signaling and Media Encryption; (4) Blocks Extensible…

CVSS: 7.1 CWE: N/A View on NVD
2009-03-12
Medium

CVE-2009-0884

Buffer overflow in FileZilla Server before 0.9.31 allows remote attackers to cause a denial of service via unspecified vectors related to SSL/TLS packets.

CVSS: 4.3 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2009-03-10
High

CVE-2009-0085

The Secure Channel (aka SChannel) authentication component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008, when certificate authentication…

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
2009-01-26
High

CVE-2009-0265

Internet Systems Consortium (ISC) BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the…

CVSS: 7.5 CWE: CWE-252 - Unchecked Return Value View on NVD
2009-01-15
High

CVE-2009-0130

lib/crypto/c_src/crypto_drv.c in erlang does not properly check the return value from the OpenSSL DSA_do_verify function, which might allow remote attackers to bypass validation of the certificate ch…

CVSS: 7.5 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0129

libcrypt-openssl-dsa-perl does not properly check the return value from the OpenSSL DSA_verify and DSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0128

plugins/crypto/openssl/crypto_openssl.c in Simple Linux Utility for Resource Management (aka SLURM or slurm-llnl) does not properly check the return value from the OpenSSL EVP_VerifyFinal function, w…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0127

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypas…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0126

The decrypt_public function in lib/crypt.cpp in the client in Berkeley Open Infrastructure for Network Computing (BOINC) 6.2.14 and 6.4.5 does not check the return value from the OpenSSL RSA_public_d…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0125

NOTE: this issue has been disputed by the upstream vendor. nasl/nasl_crypto2.c in the Nessus Attack Scripting Language library (aka libnasl) 2.2.11 does not properly check the return value from the O…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0124

The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allow…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
2009-01-07
Medium

CVE-2009-0051

ZXID 0.29 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TL…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0050

Lasso 2.2.1 and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2009-0049

Belgian eID middleware (eidlib) 2.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certifi…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0048

OpenEvidence 1.0.6 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a ma…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0047

Gale 0.99 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed S…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0046

Sun GridEngine 5.3 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a ma…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0025

BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2009-0021

NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certi…

CVSS: 5.0 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2008-5077

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/…

CVSS: 5.8 CWE: CWE-20 - Improper Input Validation View on NVD
2008-09-04
High

CVE-2008-2441

Cisco Secure ACS 3.x before 3.3(4) Build 12 patch 7, 4.0.x, 4.1.x before 4.1(4) Build 13 Patch 11, and 4.2.x before 4.2(0) Build 124 Patch 4 does not properly handle an EAP Response packet in which t…

CVSS: 7.5 CWE: CWE-399 View on NVD
2008-08-08
High

CVE-2008-2377

Use-after-free vulnerability in the _gnutls_handshake_hash_buffers_clear function in lib/gnutls_handshake.c in libgnutls in GnuTLS 2.3.5 through 2.4.0 allows remote attackers to cause a denial of ser…

CVSS: 7.6 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2008-06-04
High

CVE-2008-2056

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 and 8.1.x before 8.1(1)1 allows remote attackers to cause a denial of service (device reload) via a craft…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2008-05-29
Medium

CVE-2008-0891

Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello pack…

CVSS: 4.3 CWE: CWE-189 View on NVD
Medium

CVE-2008-1672

OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which trigge…

CVSS: 4.3 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2008-05-21
Critical

CVE-2008-1948

The _gnutls_server_name_recv_params function in lib/ext_server_name.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly calculate the number of Server Names in a TLS 1.0 Client Hel…

CVSS: 10.0 CWE: CWE-189 View on NVD
Critical

CVE-2008-1949

The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to process Client Hello messages within a TLS message after one has already…

CVSS: 9.3 CWE: CWE-287 - Improper Authentication View on NVD
Medium

CVE-2008-1950

Integer signedness error in the _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4 allows remote attackers to cause a denial of service (buffer over-rea…

CVSS: 5.0 CWE: CWE-189 View on NVD
2007-12-24
Critical

CVE-2007-6521

Unspecified vulnerability in Opera before 9.25 allows remote attackers to execute arbitrary code via crafted TLS certificates.

CVSS: 10.0 CWE: CWE-310 View on NVD
2007-10-18
High

CVE-2007-5569

Cisco PIX and ASA appliances with 7.1 and 7.2 software, when configured for TLS sessions to the device, allow remote attackers to cause a denial of service (device reload) via a crafted TLS packet, a…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2007-10-09
Medium

CVE-2007-5281

The Java Secure Socket Extension (JSSE) in the Hitachi Cosminexus Developer's Kit for Java in various Hitachi Cosminexus 7.5 products before 07-50-01, when using JSSE for SSL/TLS support, allows remo…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2007-09-21
Medium

CVE-2007-5034

ELinks before 0.11.3, when sending a POST request for an https URL, appends the body and content headers of the POST request to the CONNECT request in cleartext, which allows remote attackers to snif…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2007-09-13
Medium

CVE-2007-4879

Mozilla Firefox before Firefox 2.0.0.13, and SeaMonkey before 1.1.9, can automatically install TLS client certificates with minimal user interaction, and automatically sends these certificates when r…

CVSS: 5.0 CWE: N/A View on NVD
2007-07-18
High

CVE-2007-3564

libcurl 7.14.0 through 7.16.3, when built with GnuTLS support, does not check SSL/TLS certificate expiration or activation dates, which allows remote attackers to bypass certain access restrictions.

CVSS: 7.5 CWE: N/A View on NVD
2007-07-11
High

CVE-2007-3698

The Java Secure Socket Extension (JSSE) in Sun JDK and JRE 6 Update 1 and earlier, JDK and JRE 5.0 Updates 7 through 11, and SDK and JRE 1.4.2_11 through 1.4.2_14, when using JSSE for SSL/TLS support…

CVSS: 7.8 CWE: N/A View on NVD
2007-06-14
High

CVE-2007-3209

Mail Notification 4.0, when WITH_SSL is set to 0 at compile time, uses unencrypted connections for accounts configured with SSL/TLS, which allows remote attackers to obtain sensitive information by s…

CVSS: 7.8 CWE: N/A View on NVD
2007-05-11
High

CVE-2007-2593

The Terminal Server in Microsoft Windows 2003 Server, when using TLS, allows remote attackers to bypass SSL and self-signed certificate requirements, downgrade the server security, and possibly condu…

CVSS: 7.5 CWE: N/A View on NVD
2007-03-02
Medium

CVE-2007-1137

putmail.py in Putmail before 1.4 does not detect when a user attempts to use TLS with a server that does not support it, which causes putmail.py to send the username and password in plaintext while t…

CVSS: 5.0 CWE: N/A View on NVD
2007-01-20
Medium

CVE-2007-0397

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) before 4.2.3 and Adaptive Security Device Manager (ASDM) before 5.2(2.54) do not validate the SSL/TLS certificates or SSH public…

CVSS: 6.4 CWE: N/A View on NVD
2006-12-31
High

CVE-2006-5867

fetchmail before 6.3.6-rc4 does not properly enforce TLS and may transmit cleartext passwords over unsecured links if certain circumstances occur, which allows remote attackers to obtain sensitive in…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2006-11-30
High

CVE-2006-6170

Buffer overflow in the tls_x509_name_oneline function in the mod_tls module, as used in ProFTPD 1.3.0a and earlier, and possibly other products, allows remote attackers to execute arbitrary code via…

CVSS: 7.5 CWE: N/A View on NVD
2006-11-08
Medium

CVE-2006-5462

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.8, Thunderbird before 1.5.0.8, and SeaMonkey before 1.0.6, when using an RSA key with exponent 3,…

CVSS: 6.4 CWE: N/A View on NVD
2006-09-15
Medium

CVE-2006-4340

Mozilla Network Security Service (NSS) library before 3.11.3, as used in Mozilla Firefox before 1.5.0.7, Thunderbird before 1.5.0.7, and SeaMonkey before 1.0.5, when using an RSA key with exponent 3,…

CVSS: 4.0 CWE: CWE-20 - Improper Input Validation View on NVD
2006-07-07
Medium

CVE-2006-3411

TLS handshakes in Tor before 0.1.1.20 generate public-private keys based on TLS context rather than the connection, which makes it easier for remote attackers to conduct brute force attacks on the en…

CVSS: 6.4 CWE: N/A View on NVD
2006-06-09
Medium

CVE-2006-2924

Ingate Firewall in the SIP module before 4.4.1 and SIParator before 4.4.1, when TLS is enabled or when SSL/TLS is enabled in the web server, allows remote attackers to cause a denial of service (cras…

CVSS: 5.0 CWE: N/A View on NVD
2006-03-02
Low

CVE-2006-0956

nuauth in NuFW before 1.0.21 does not properly handle blocking TLS sockets, which allows remote authenticated users to cause a denial of service (service hang) by flooding packets at the authenticati…

CVSS: 1.7 CWE: N/A View on NVD
2005-11-01
Low

CVE-2005-3402

The SMTP client in Mozilla Thunderbird 1.0.5 BETA, 1.0.7, and possibly other versions, does not notify users when it cannot establish a secure channel with the server, which allows remote attackers t…

CVSS: 2.6 CWE: N/A View on NVD
2005-10-18
Medium

CVE-2005-2969

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preven…

CVSS: 5.0 CWE: N/A View on NVD
2005-09-27
Medium

CVE-2005-3087

The SecureW2 3.0 TLS implementation uses weak random number generators (rand and srand from system time) during generation of the pre-master secret (PMS), which makes it easier for attackers to guess…

CVSS: 5.0 CWE: N/A View on NVD