Trinadh465 / OpenSSL-1_0_1g

Other
0 stars 0 forks source link

opensslOpenSSL_1_0_1g: 86 vulnerabilities (highest severity is: 9.8) - autoclosed #89

Closed mend-bolt-for-github[bot] closed 8 months ago

mend-bolt-for-github[bot] commented 8 months ago
Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Vulnerable Source Files (1)

/ssl/d1_both.c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (opensslOpenSSL_1_0_1g version) Remediation Possible**
CVE-2021-46880 Critical 9.8 opensslOpenSSL_1_0_1g Direct N/A
CVE-2016-6303 Critical 9.8 opensslOpenSSL_1_0_1g Direct 1.1.0
CVE-2016-2842 Critical 9.8 opensslOpenSSL_1_0_1g Direct 1.0.1s,1.0.2g
CVE-2016-2182 Critical 9.8 opensslOpenSSL_1_0_1g Direct 1.0.1u,1.0.2i
CVE-2016-2177 Critical 9.8 detected in multiple dependencies Direct openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1
CVE-2016-2108 Critical 9.8 detected in multiple dependencies Direct 1.0.1o,1.0.2c
CVE-2016-0799 Critical 9.8 opensslOpenSSL_1_0_1g Direct 1.0.1s,1.0.2g
CVE-2016-0705 Critical 9.8 opensslOpenSSL_1_0_1g Direct 1.0.1s,1.0.2g
CVE-2009-3245 Critical 9.8 opensslOpenSSL_1_0_1g Direct 0.9.8m
CVE-2016-2176 High 8.2 opensslOpenSSL_1_0_1g Direct 1.0.1t,1.0.2h
CVE-2023-0464 High 7.5 detected in multiple dependencies Direct OpenSSL_1_1_1u,openssl-3.0.9,openssl-3.1.1
CVE-2022-0778 High 7.5 opensslOpenSSL_1_0_1g Direct OpenSSL_1_1_1n, openssl-3.0.2
CVE-2016-6304 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1u,1.0.2i,1.1.0a
CVE-2016-6302 High 7.5 opensslOpenSSL_1_0_1g Direct 1.1.0
CVE-2016-2183 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.2i,1.0.1u
CVE-2016-2181 High 7.5 opensslOpenSSL_1_0_1g Direct 1.1.0
CVE-2016-2180 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1u,1.0.2i
CVE-2016-2179 High 7.5 detected in multiple dependencies Direct 1.0.1u,1.0.2i
CVE-2016-2109 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1t,1.0.2h
CVE-2016-2106 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1t,1.0.2h
CVE-2016-2105 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1t,1.0.2h
CVE-2016-0798 High 7.5 detected in multiple dependencies Direct 1.0.1s,1.0.2g
CVE-2016-0797 High 7.5 detected in multiple dependencies Direct 1.0.1s,1.0.2g
CVE-2015-3194 High 7.5 opensslOpenSSL_1_0_1g Direct 1.0.1q,1.0.2e
CVE-2023-0286 High 7.4 opensslOpenSSL_1_0_1g Direct openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8
CVE-2021-3712 High 7.4 detected in multiple dependencies Direct OpenSSL - 1.1.1l
CVE-2014-0224 High 7.4 detected in multiple dependencies Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2015-0292 High 7.3 opensslOpenSSL_1_0_1g Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2014-8176 High 7.3 opensslOpenSSL_1_0_1g Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2014-3512 High 7.3 opensslOpenSSL_1_0_1g Direct 1.0.1i
CVE-2012-2110 High 7.3 opensslOpenSSL_1_0_1g Direct 0.9.8v,1.0.0i,1.0.1a
CVE-2010-4252 High 7.3 opensslOpenSSL_1_0_1g Direct 1.0.0c
CVE-2018-0734 Medium 5.9 opensslOpenSSL_1_0_1g Direct 1.0.2q,1.1.0j,1.1.1a
CVE-2016-6306 Medium 5.9 detected in multiple dependencies Direct 1.0.1u,1.0.2i
CVE-2016-2107 Medium 5.9 opensslOpenSSL_1_0_1g Direct 1.0.1t,1.0.2h
CVE-2016-0800 Medium 5.9 detected in multiple dependencies Direct 1.0.1s,1.0.2g
CVE-2016-0704 Medium 5.9 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2016-0703 Medium 5.9 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-3197 Medium 5.9 opensslOpenSSL_1_0_1g Direct 1.0.1r,1.0.2f
CVE-2014-3567 Medium 5.9 opensslOpenSSL_1_0_1g Direct 0.9.8zc,1.0.0o,1.0.1j
CVE-2014-3513 Medium 5.9 detected in multiple dependencies Direct 1.0.1j
CVE-2015-1791 Medium 5.6 opensslOpenSSL_1_0_1g Direct 0.9.8zg,1.0.0s,1.0.1n,1.0.2b
CVE-2015-0209 Medium 5.6 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2014-3509 Medium 5.6 opensslOpenSSL_1_0_1g Direct 1.0.0n,1.0.1i
CVE-2014-0195 Medium 5.6 opensslOpenSSL_1_0_1g Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2024-0727 Medium 5.5 detected in multiple dependencies Direct OpenSSL_1_1_1x,OpenSSL_1_0_2zj,openssl-3.0.13,openssl-3.1.5,openssl-3.2.1
CVE-2016-7056 Medium 5.5 detected in multiple dependencies Direct OpenSSL_1_0_2-beta3
CVE-2016-2178 Medium 5.5 opensslOpenSSL_1_0_1g Direct openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1
CVE-2015-3195 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zh,1.0.0t,1.0.1q,1.0.2e
CVE-2015-1792 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zg,1.0.0s,1.0.1n,1.0.2b
CVE-2015-1790 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zg,1.0.0s,1.0.1n,1.0.2b
CVE-2015-0293 Medium 5.3 detected in multiple dependencies Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-0289 Medium 5.3 detected in multiple dependencies Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-0288 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-0287 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-0286 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zf,1.0.0r,1.0.1m,1.0.2a
CVE-2015-0206 Medium 5.3 opensslOpenSSL_1_0_1g Direct 1.0.0p,1.0.1k
CVE-2015-0205 Medium 5.3 opensslOpenSSL_1_0_1g Direct 1.0.0p,1.0.1k
CVE-2014-8275 Medium 5.3 detected in multiple dependencies Direct 0.9.8zd,1.0.0p,1.0.1k
CVE-2014-3572 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zd,1.0.0p,1.0.1k
CVE-2014-3571 Medium 5.3 detected in multiple dependencies Direct 0.9.8zd,1.0.0p,1.0.1k
CVE-2014-3570 Medium 5.3 detected in multiple dependencies Direct 0.9.8zd,1.0.0p,1.0.1k
CVE-2014-3569 Medium 5.3 opensslOpenSSL_1_0_1g Direct OpenSSL_1_0_2a
CVE-2014-3507 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zb,1.0.0n,1.0.1i
CVE-2014-3506 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zb,1.0.0n,1.0.1i
CVE-2014-3505 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8zb,1.0.0n,1.0.1i
CVE-2012-1165 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8u,1.0.0h
CVE-2009-4355 Medium 5.3 opensslOpenSSL_1_0_1g Direct 0.9.8m, 1.0.0beta5
CVE-2016-0702 Medium 5.1 opensslOpenSSL_1_0_1g Direct 1.0.1s,1.0.2g
CVE-2010-5298 Medium 4.8 opensslOpenSSL_1_0_1g Direct openssl-libs - 1.0.1e-34,1.0.1e-34,1.0.1e-34,1.0.1e-34;openssl-perl - 1.0.1e-34,1.0.1e-16,1.0.1e-16,1.0.1e-34;openssl - 1.0.1e-16,1.0.1e-16,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-16,1.0.1e-34;openssl-static - 1.0.1e-16,1.0.1e-34,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-34;openssl-devel - 1.0.1e-34,1.0.1e-34,1.0.1e-34,1.0.1e-16,1.0.1e-34,1.0.1e-16;openssl-debuginfo - 1.0.1e-34,1.0.1e-16,1.0.1e-16,1.0.1e-34
CVE-2008-5077 Medium 4.8 opensslOpenSSL_1_0_1g Direct 0.9.8j
CVE-2018-5407 Medium 4.7 detected in multiple dependencies Direct OpenSSL_1_1_0i,OpenSSL_1_1_1
CVE-2021-23839 Low 3.7 opensslOpenSSL_1_0_1g Direct OpenSSL_1_1_1j
CVE-2015-3196 Low 3.7 detected in multiple dependencies Direct 1.0.0t,1.0.1p,1.0.2d
CVE-2015-1788 Low 3.7 detected in multiple dependencies Direct 0.9.8s,1.0.0e,1.0.1n,1.0.2b
CVE-2014-5139 Low 3.7 detected in multiple dependencies Direct 1.0.1i
CVE-2014-3568 Low 3.7 detected in multiple dependencies Direct 0.9.8zc,1.0.0o,1.0.1j
CVE-2014-3511 Low 3.7 opensslOpenSSL_1_0_1g Direct 1.0.1i
CVE-2014-3510 Low 3.7 opensslOpenSSL_1_0_1g Direct 0.9.8zb,1.0.0n,1.0.1i
CVE-2014-3508 Low 3.7 detected in multiple dependencies Direct 0.9.8zb,1.0.0n,1.0.1i
CVE-2014-3470 Low 3.7 opensslOpenSSL_1_0_1g Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2014-0221 Low 3.7 opensslOpenSSL_1_0_1g Direct 0.9.8za,1.0.0m,1.0.1h
CVE-2014-0198 Low 3.7 opensslOpenSSL_1_0_1g Direct openssl.redist - 1.0.1.25
CVE-2013-6449 Low 3.7 opensslOpenSSL_1_0_1g Direct 1.0.2
CVE-2013-0169 Low 3.7 opensslOpenSSL_1_0_1g Direct java-1.6.0-openjdk - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;java-1.7.0-openjdk-src - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-devel - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-src - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;openssl-perl - 0.9.8e-26,0.9.8e-26;openssl - 0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26;java-1.6.0-openjdk-javadoc - 1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8;openssl-devel - 0.9.8e-26,0.9.8e-26;java-1.7.0-openjdk-demo - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-demo - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk-debuginfo - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;openssl-debuginfo - 0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26,0.9.8e-26;java-1.7.0-openjdk-javadoc - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1;java-1.6.0-openjdk-debuginfo - 1.6.0.0-1.56.1.11.8,1.6.0.0-1.56.1.11.8,1.6.0.0-1.35.1.11.8,1.6.0.0-1.35.1.11.8;java-1.7.0-openjdk-devel - 1.7.0.9-2.3.7.1,1.7.0.9-2.3.7.1
CVE-2014-3566 Low 3.4 detected in multiple dependencies Direct openssl - 1.0.2;openssl-android - 1.0.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-46880 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/crypto/x509/x509_vfy.c

### Vulnerability Details

x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.

Publish Date: 2023-04-15

URL: CVE-2021-46880

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-6303 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c /crypto/mdc2/mdc2dgst.c

### Vulnerability Details

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

Publish Date: 2016-09-16

URL: CVE-2016-6303

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2842 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bio/b_print.c /crypto/bio/b_print.c

### Vulnerability Details

The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

Publish Date: 2016-03-03

URL: CVE-2016-2842

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2842

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2182 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bn/bn_print.c /crypto/bn/bn_print.c

### Vulnerability Details

The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.

Publish Date: 2016-09-16

URL: CVE-2016-2182

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2177 ### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

Publish Date: 2016-06-20

URL: CVE-2016-2177

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2177

Release Date: 2016-06-20

Fix Resolution: openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2108 ### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

Publish Date: 2016-05-05

URL: CVE-2016-2108

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2108

Release Date: 2016-05-05

Fix Resolution: 1.0.1o,1.0.2c

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-0799 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/bio/b_print.c /crypto/bio/b_print.c

### Vulnerability Details

The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.

Publish Date: 2016-03-03

URL: CVE-2016-0799

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0799

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-0705 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/dsa/dsa_ameth.c /crypto/dsa/dsa_ameth.c

### Vulnerability Details

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key.

Publish Date: 2016-03-03

URL: CVE-2016-0705

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0705

Release Date: 2016-03-03

Fix Resolution: 1.0.1s,1.0.2g

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2009-3245 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/bn/bn_mul.c /crypto/bn/bn_mul.c /crypto/bn/bn_mul.c

### Vulnerability Details

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Publish Date: 2010-03-05

URL: CVE-2009-3245

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3245

Release Date: 2010-03-05

Fix Resolution: 0.9.8m

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2176 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/x509/x509_obj.c /crypto/x509/x509_obj.c

### Vulnerability Details

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Publish Date: 2016-05-05

URL: CVE-2016-2176

### CVSS 3 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2176

Release Date: 2016-05-05

Fix Resolution: 1.0.1t,1.0.2h

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-0464 ### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Publish Date: 2023-03-22

URL: CVE-2023-0464

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: NO_FIX

Release Date: 2023-03-22

Fix Resolution: OpenSSL_1_1_1u,openssl-3.0.9,openssl-3.1.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-0778 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (3)

/crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c /crypto/bn/bn_sqrt.c

### Vulnerability Details

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Publish Date: 2022-03-15

URL: CVE-2022-0778

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jf66-3q76-h5p5

Release Date: 2022-03-15

Fix Resolution: OpenSSL_1_1_1n, openssl-3.0.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-6304 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/ssl/t1_lib.c

### Vulnerability Details

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

Publish Date: 2016-09-26

URL: CVE-2016-6304

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304

Release Date: 2016-09-26

Fix Resolution: 1.0.1u,1.0.2i,1.1.0a

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-6302 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/ssl/t1_lib.c

### Vulnerability Details

The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.

Publish Date: 2016-09-16

URL: CVE-2016-6302

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2183 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/ssl/s3_lib.c /ssl/s3_lib.c

### Vulnerability Details

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Publish Date: 2016-09-01

URL: CVE-2016-2183

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6206

Release Date: 2016-09-01

Fix Resolution: 1.0.2i,1.0.1u

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2181 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/ssl/ssl_err.c /ssl/ssl_err.c

### Vulnerability Details

The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.

Publish Date: 2016-09-16

URL: CVE-2016-2181

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/6175

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2180 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (2)

/crypto/ts/ts_lib.c /crypto/ts/ts_lib.c

### Vulnerability Details

The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command.

Publish Date: 2016-08-01

URL: CVE-2016-2180

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1359615

Release Date: 2016-08-01

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2179 ### Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

### Vulnerability Details

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.

Publish Date: 2016-09-16

URL: CVE-2016-2179

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2109 ### Vulnerable Library - opensslOpenSSL_1_0_1g

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: master

### Vulnerable Source Files (1)

/crypto/asn1/a_d2i_fp.c

### Vulnerability Details

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

Publish Date: 2016-05-05

URL: CVE-2016-2109

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2109

Release Date: 2016-05-05

Fix Resolution: 1.0.1t,1.0.2h

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 8 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.