Closed mend-bolt-for-github[bot] closed 8 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - opensslOpenSSL_1_0_1g
TLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Vulnerable Source Files (1)
/ssl/d1_both.c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-46880
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (1)/crypto/x509/x509_vfy.c
### Vulnerability Detailsx509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.
Publish Date: 2023-04-15
URL: CVE-2021-46880
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-6303
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (3)/crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c
### Vulnerability DetailsInteger overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Publish Date: 2016-09-16
URL: CVE-2016-6303
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
Release Date: 2016-09-16
Fix Resolution: 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2842
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/bio/b_print.c /crypto/bio/b_print.c
### Vulnerability DetailsThe doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.
Publish Date: 2016-03-03
URL: CVE-2016-2842
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2842
Release Date: 2016-03-03
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2182
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/bn/bn_print.c /crypto/bn/bn_print.c
### Vulnerability DetailsThe BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Publish Date: 2016-09-16
URL: CVE-2016-2182
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openssl.org/news/secadv/20160922.txt
Release Date: 2016-09-16
Fix Resolution: 1.0.1u,1.0.2i
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2177
### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1gOpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Publish Date: 2016-06-20
URL: CVE-2016-2177
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2177
Release Date: 2016-06-20
Fix Resolution: openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2108
### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1gThe ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Publish Date: 2016-05-05
URL: CVE-2016-2108
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2108
Release Date: 2016-05-05
Fix Resolution: 1.0.1o,1.0.2c
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-0799
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/bio/b_print.c /crypto/bio/b_print.c
### Vulnerability DetailsThe fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.
Publish Date: 2016-03-03
URL: CVE-2016-0799
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0799
Release Date: 2016-03-03
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-0705
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/dsa/dsa_ameth.c /crypto/dsa/dsa_ameth.c
### Vulnerability DetailsDouble free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.
Publish Date: 2016-03-03
URL: CVE-2016-0705
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0705
Release Date: 2016-03-03
Fix Resolution: 1.0.1s,1.0.2g
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2009-3245
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (3)/crypto/bn/bn_mul.c /crypto/bn/bn_mul.c /crypto/bn/bn_mul.c
### Vulnerability DetailsOpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Publish Date: 2010-03-05
URL: CVE-2009-3245
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245
Release Date: 2010-03-05
Fix Resolution: 0.9.8m
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2176
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/x509/x509_obj.c /crypto/x509/x509_obj.c
### Vulnerability DetailsThe X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
Publish Date: 2016-05-05
URL: CVE-2016-2176
### CVSS 3 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2176
Release Date: 2016-05-05
Fix Resolution: 1.0.1t,1.0.2h
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2023-0464
### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1gA security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.
Publish Date: 2023-03-22
URL: CVE-2023-0464
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: NO_FIX
Release Date: 2023-03-22
Fix Resolution: OpenSSL_1_1_1u,openssl-3.0.9,openssl-3.1.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-0778
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (3)/crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c
### Vulnerability DetailsThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
Publish Date: 2022-03-15
URL: CVE-2022-0778
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-jf66-3q76-h5p5
Release Date: 2022-03-15
Fix Resolution: OpenSSL_1_1_1n, openssl-3.0.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-6304
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (1)/ssl/t1_lib.c
### Vulnerability DetailsMultiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
Publish Date: 2016-09-26
URL: CVE-2016-6304
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
Release Date: 2016-09-26
Fix Resolution: 1.0.1u,1.0.2i,1.1.0a
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-6302
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (1)/ssl/t1_lib.c
### Vulnerability DetailsThe tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
Publish Date: 2016-09-16
URL: CVE-2016-6302
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175
Release Date: 2016-09-16
Fix Resolution: 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2183
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/ssl/s3_lib.c /ssl/s3_lib.c
### Vulnerability DetailsThe DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Publish Date: 2016-09-01
URL: CVE-2016-2183
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6206
Release Date: 2016-09-01
Fix Resolution: 1.0.2i,1.0.1u
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2181
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/ssl/ssl_err.c /ssl/ssl_err.c
### Vulnerability DetailsThe Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
Publish Date: 2016-09-16
URL: CVE-2016-2181
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175
Release Date: 2016-09-16
Fix Resolution: 1.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2180
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (2)/crypto/ts/ts_lib.c /crypto/ts/ts_lib.c
### Vulnerability DetailsThe TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.
Publish Date: 2016-08-01
URL: CVE-2016-2180
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1359615
Release Date: 2016-08-01
Fix Resolution: 1.0.1u,1.0.2i
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2179
### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1gThe DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
Publish Date: 2016-09-16
URL: CVE-2016-2179
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openssl.org/news/secadv/20160922.txt
Release Date: 2016-09-16
Fix Resolution: 1.0.1u,1.0.2i
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2016-2109
### Vulnerable Library - opensslOpenSSL_1_0_1gTLS/SSL and crypto library
Library home page: https://github.com/openssl/openssl.git
Found in base branch: master
### Vulnerable Source Files (1)/crypto/asn1/a_d2i_fp.c
### Vulnerability DetailsThe asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.
Publish Date: 2016-05-05
URL: CVE-2016-2109
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2109
Release Date: 2016-05-05
Fix Resolution: 1.0.1t,1.0.2h
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)