opensslOpenSSL_1_0_1g: 86 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Vulnerable Source Files (1)

/ssl/d1_both.c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (opensslOpenSSL_1_0_1g version)	Remediation Possible**
CVE-2021-46880	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	N/A	❌
CVE-2016-6303	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	1.1.0	❌
CVE-2016-2842	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	1.0.1s,1.0.2g	❌
CVE-2016-2182	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	1.0.1u,1.0.2i	❌
CVE-2016-2177	Critical	9.8	detected in multiple dependencies	Direct	openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1	❌
CVE-2016-2108	Critical	9.8	detected in multiple dependencies	Direct	1.0.1o,1.0.2c	❌
CVE-2016-0799	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	1.0.1s,1.0.2g	❌
CVE-2016-0705	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	1.0.1s,1.0.2g	❌
CVE-2009-3245	Critical	9.8	opensslOpenSSL_1_0_1g	Direct	0.9.8m	❌
CVE-2016-2176	High	8.2	opensslOpenSSL_1_0_1g	Direct	1.0.1t,1.0.2h	❌
CVE-2023-0464	High	7.5	detected in multiple dependencies	Direct	OpenSSL_1_1_1u,openssl-3.0.9,openssl-3.1.1	❌
CVE-2022-0778	High	7.5	opensslOpenSSL_1_0_1g	Direct	OpenSSL_1_1_1n, openssl-3.0.2	❌
CVE-2016-6304	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1u,1.0.2i,1.1.0a	❌
CVE-2016-6302	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.1.0	❌
CVE-2016-2183	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.2i,1.0.1u	❌
CVE-2016-2181	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.1.0	❌
CVE-2016-2180	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1u,1.0.2i	❌
CVE-2016-2179	High	7.5	detected in multiple dependencies	Direct	1.0.1u,1.0.2i	❌
CVE-2016-2109	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1t,1.0.2h	❌
CVE-2016-2106	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1t,1.0.2h	❌
CVE-2016-2105	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1t,1.0.2h	❌
CVE-2016-0798	High	7.5	detected in multiple dependencies	Direct	1.0.1s,1.0.2g	❌
CVE-2016-0797	High	7.5	detected in multiple dependencies	Direct	1.0.1s,1.0.2g	❌
CVE-2015-3194	High	7.5	opensslOpenSSL_1_0_1g	Direct	1.0.1q,1.0.2e	❌
CVE-2023-0286	High	7.4	opensslOpenSSL_1_0_1g	Direct	openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8	❌
CVE-2021-3712	High	7.4	detected in multiple dependencies	Direct	OpenSSL - 1.1.1l	❌
CVE-2014-0224	High	7.4	detected in multiple dependencies	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2015-0292	High	7.3	opensslOpenSSL_1_0_1g	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2014-8176	High	7.3	opensslOpenSSL_1_0_1g	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2014-3512	High	7.3	opensslOpenSSL_1_0_1g	Direct	1.0.1i	❌
CVE-2012-2110	High	7.3	opensslOpenSSL_1_0_1g	Direct	0.9.8v,1.0.0i,1.0.1a	❌
CVE-2010-4252	High	7.3	opensslOpenSSL_1_0_1g	Direct	1.0.0c	❌
CVE-2018-0734	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	1.0.2q,1.1.0j,1.1.1a	❌
CVE-2016-6306	Medium	5.9	detected in multiple dependencies	Direct	1.0.1u,1.0.2i	❌
CVE-2016-2107	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	1.0.1t,1.0.2h	❌
CVE-2016-0800	Medium	5.9	detected in multiple dependencies	Direct	1.0.1s,1.0.2g	❌
CVE-2016-0704	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2016-0703	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-3197	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	1.0.1r,1.0.2f	❌
CVE-2014-3567	Medium	5.9	opensslOpenSSL_1_0_1g	Direct	0.9.8zc,1.0.0o,1.0.1j	❌
CVE-2014-3513	Medium	5.9	detected in multiple dependencies	Direct	1.0.1j	❌
CVE-2015-1791	Medium	5.6	opensslOpenSSL_1_0_1g	Direct	0.9.8zg,1.0.0s,1.0.1n,1.0.2b	❌
CVE-2015-0209	Medium	5.6	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2014-3509	Medium	5.6	opensslOpenSSL_1_0_1g	Direct	1.0.0n,1.0.1i	❌
CVE-2014-0195	Medium	5.6	opensslOpenSSL_1_0_1g	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2024-0727	Medium	5.5	detected in multiple dependencies	Direct	OpenSSL_1_1_1x,OpenSSL_1_0_2zj,openssl-3.0.13,openssl-3.1.5,openssl-3.2.1	❌
CVE-2016-7056	Medium	5.5	detected in multiple dependencies	Direct	OpenSSL_1_0_2-beta3	❌
CVE-2016-2178	Medium	5.5	opensslOpenSSL_1_0_1g	Direct	openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1	❌
CVE-2015-3195	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zh,1.0.0t,1.0.1q,1.0.2e	❌
CVE-2015-1792	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zg,1.0.0s,1.0.1n,1.0.2b	❌
CVE-2015-1790	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zg,1.0.0s,1.0.1n,1.0.2b	❌
CVE-2015-0293	Medium	5.3	detected in multiple dependencies	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-0289	Medium	5.3	detected in multiple dependencies	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-0288	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-0287	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-0286	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zf,1.0.0r,1.0.1m,1.0.2a	❌
CVE-2015-0206	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	1.0.0p,1.0.1k	❌
CVE-2015-0205	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	1.0.0p,1.0.1k	❌
CVE-2014-8275	Medium	5.3	detected in multiple dependencies	Direct	0.9.8zd,1.0.0p,1.0.1k	❌
CVE-2014-3572	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zd,1.0.0p,1.0.1k	❌
CVE-2014-3571	Medium	5.3	detected in multiple dependencies	Direct	0.9.8zd,1.0.0p,1.0.1k	❌
CVE-2014-3570	Medium	5.3	detected in multiple dependencies	Direct	0.9.8zd,1.0.0p,1.0.1k	❌
CVE-2014-3569	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	OpenSSL_1_0_2a	❌
CVE-2014-3507	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zb,1.0.0n,1.0.1i	❌
CVE-2014-3506	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zb,1.0.0n,1.0.1i	❌
CVE-2014-3505	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8zb,1.0.0n,1.0.1i	❌
CVE-2012-1165	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8u,1.0.0h	❌
CVE-2009-4355	Medium	5.3	opensslOpenSSL_1_0_1g	Direct	0.9.8m, 1.0.0beta5	❌
CVE-2016-0702	Medium	5.1	opensslOpenSSL_1_0_1g	Direct	1.0.1s,1.0.2g	❌
CVE-2010-5298	Medium	4.8	opensslOpenSSL_1_0_1g	Direct	openssl-libs - 1.0.1e-34,1.0.1e-34,1.0.1e-34,1.0.1e-34;openssl-perl - 1.0.1e-34,1.0.1e-16,1.0.1e-16,1.0.1e-34;openssl - 1.0.1e-16,1.0.1e-16,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-16,1.0.1e-34;openssl-static - 1.0.1e-16,1.0.1e-34,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-34;openssl-devel - 1.0.1e-34,1.0.1e-34,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-16;openssl-debuginfo - 1.0.1e-34,1.0.1e-16,1.0.1e-16,1.0.1e-34	❌
CVE-2008-5077	Medium	4.8	opensslOpenSSL_1_0_1g	Direct	0.9.8j	❌
CVE-2018-5407	Medium	4.7	detected in multiple dependencies	Direct	OpenSSL_1_1_0i,OpenSSL_1_1_1	❌
CVE-2021-23839	Low	3.7	opensslOpenSSL_1_0_1g	Direct	OpenSSL_1_1_1j	❌
CVE-2015-3196	Low	3.7	detected in multiple dependencies	Direct	1.0.0t,1.0.1p,1.0.2d	❌
CVE-2015-1788	Low	3.7	detected in multiple dependencies	Direct	0.9.8s,1.0.0e,1.0.1n,1.0.2b	❌
CVE-2014-5139	Low	3.7	detected in multiple dependencies	Direct	1.0.1i	❌
CVE-2014-3568	Low	3.7	detected in multiple dependencies	Direct	0.9.8zc,1.0.0o,1.0.1j	❌
CVE-2014-3511	Low	3.7	opensslOpenSSL_1_0_1g	Direct	1.0.1i	❌
CVE-2014-3510	Low	3.7	opensslOpenSSL_1_0_1g	Direct	0.9.8zb,1.0.0n,1.0.1i	❌
CVE-2014-3508	Low	3.7	detected in multiple dependencies	Direct	0.9.8zb,1.0.0n,1.0.1i	❌
CVE-2014-3470	Low	3.7	opensslOpenSSL_1_0_1g	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2014-0221	Low	3.7	opensslOpenSSL_1_0_1g	Direct	0.9.8za,1.0.0m,1.0.1h	❌
CVE-2014-0198	Low	3.7	opensslOpenSSL_1_0_1g	Direct	openssl.redist - 1.0.1.25	❌
CVE-2013-6449	Low	3.7	opensslOpenSSL_1_0_1g	Direct	1.0.2	❌
CVE-2013-0169	Low	3.7	opensslOpenSSL_1_0_1g	Direct	java-1.6.0-openjdk - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;java-1.7.0-openjdk-src - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-devel - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-src - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;openssl-perl - 0.9.8e-26,0.9.8e-26;openssl - 0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26;java-1.6.0-openjdk-javadoc - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;openssl-devel - 0.9.8e-26,0.9.8e-26;java-1.7.0-openjdk-demo - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-demo - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk-debuginfo - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;openssl-debuginfo - 0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26;java-1.7.0-openjdk-javadoc - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-debuginfo - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk-devel - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1	❌
CVE-2014-3566	Low	3.4	detected in multiple dependencies	Direct	openssl - 1.0.2;openssl-android - 1.0.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-46880

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/crypto/x509/x509_vfy.c

### Vulnerability Details

x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.

Publish Date: 2023-04-15

URL: CVE-2021-46880

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-6303

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c

### Vulnerability Details

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

Publish Date: 2016-09-16

URL: CVE-2016-6303

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2842

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bio/b_print.c /crypto/bio/b_print.c

### Vulnerability Details

The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

Publish Date: 2016-03-03

URL: CVE-2016-2842

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2842

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2182

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bn/bn_print.c /crypto/bn/bn_print.c

### Vulnerability Details

The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

Publish Date: 2016-09-16

URL: CVE-2016-2182

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2177

### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

Publish Date: 2016-06-20

URL: CVE-2016-2177

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2177

Release Date: 2016-06-20

Fix Resolution: openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2108

### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Publish Date: 2016-05-05

URL: CVE-2016-2108

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2108

Release Date: 2016-05-05

Fix Resolution: 1.0.1o,1.0.2c

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-0799

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bio/b_print.c /crypto/bio/b_print.c

### Vulnerability Details

The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.

Publish Date: 2016-03-03

URL: CVE-2016-0799

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0799

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-0705

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/dsa/dsa_ameth.c /crypto/dsa/dsa_ameth.c

### Vulnerability Details

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.

Publish Date: 2016-03-03

URL: CVE-2016-0705

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0705

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2009-3245

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/bn/bn_mul.c /crypto/bn/bn_mul.c /crypto/bn/bn_mul.c

### Vulnerability Details

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Publish Date: 2010-03-05

URL: CVE-2009-3245

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245

Release Date: 2010-03-05

Fix Resolution: 0.9.8m

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2176

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/x509/x509_obj.c /crypto/x509/x509_obj.c

### Vulnerability Details

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Publish Date: 2016-05-05

URL: CVE-2016-2176

### CVSS 3 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2176

Release Date: 2016-05-05

Fix Resolution: 1.0.1t,1.0.2h

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-0464

### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Publish Date: 2023-03-22

URL: CVE-2023-0464

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: NO_FIX

Release Date: 2023-03-22

Fix Resolution: OpenSSL_1_1_1u,openssl-3.0.9,openssl-3.1.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-0778

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c

### Vulnerability Details

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Publish Date: 2022-03-15

URL: CVE-2022-0778

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jf66-3q76-h5p5

Release Date: 2022-03-15

Fix Resolution: OpenSSL_1_1_1n, openssl-3.0.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-6304

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/ssl/t1_lib.c

### Vulnerability Details

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

Publish Date: 2016-09-26

URL: CVE-2016-6304

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304

Release Date: 2016-09-26

Fix Resolution: 1.0.1u,1.0.2i,1.1.0a

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-6302

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/ssl/t1_lib.c

### Vulnerability Details

The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.

Publish Date: 2016-09-16

URL: CVE-2016-6302

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2183

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/ssl/s3_lib.c /ssl/s3_lib.c

### Vulnerability Details

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Publish Date: 2016-09-01

URL: CVE-2016-2183

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6206

Release Date: 2016-09-01

Fix Resolution: 1.0.2i,1.0.1u

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2181

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/ssl/ssl_err.c /ssl/ssl_err.c

### Vulnerability Details

The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.

Publish Date: 2016-09-16

URL: CVE-2016-2181

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2180

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/ts/ts_lib.c /crypto/ts/ts_lib.c

### Vulnerability Details

The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.

Publish Date: 2016-08-01

URL: CVE-2016-2180

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1359615

Release Date: 2016-08-01

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2179

### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.

Publish Date: 2016-09-16

URL: CVE-2016-2179

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2109

### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/crypto/asn1/a_d2i_fp.c

### Vulnerability Details

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

Publish Date: 2016-05-05

URL: CVE-2016-2109

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2109

Release Date: 2016-05-05

Fix Resolution: 1.0.1t,1.0.2h

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Trinadh465 / OpenSSL-1_0_1g

opensslOpenSSL_1_0_1g: 86 vulnerabilities (highest severity is: 9.8) - autoclosed #89

Vulnerabilities

Details