Search criteria
45 vulnerabilities found for polarssl by polarssl
FKIE_CVE-2011-4574
Vulnerability from fkie_nvd - Published: 2021-10-27 01:15 - Updated: 2024-11-21 01:32
Severity ?
Summary
PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDD46886-D113-42AE-A06E-B2563A046094",
"versionEndExcluding": "1.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor\u0027s high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results."
},
{
"lang": "es",
"value": "PolarSSL versiones anteriores a v1.1, usan el algoritmo de generaci\u00f3n de n\u00fameros aleatorios HAVEGE. En su esencia, \u00e9ste usa informaci\u00f3n de tiempo basada en el temporizador de alta resoluci\u00f3n del procesador (la instrucci\u00f3n RDTSC). Esta instrucci\u00f3n puede ser virtualizada, y algunos hosts de m\u00e1quinas virtuales han optado por deshabilitar esta instrucci\u00f3n, devolviendo 0s o resultados predecibles"
}
],
"id": "CVE-2011-4574",
"lastModified": "2024-11-21T01:32:34.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-27T01:15:07.067",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-338"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
FKIE_CVE-2012-2130
Vulnerability from fkie_nvd - Published: 2019-12-06 18:15 - Updated: 2024-11-21 01:38
Severity ?
Summary
A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| polarssl | polarssl | * | |
| polarssl | polarssl | 0.99 | |
| polarssl | polarssl | 0.99 | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 17 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3EA324-8345-4116-9E0B-DAD89EE4AE34",
"versionEndIncluding": "1.1.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:0.99:pre4:*:*:*:*:*:*",
"matchCriteriaId": "22EA88C6-E217-4D1F-981B-096930A7728C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:0.99:pre5:*:*:*:*:*:*",
"matchCriteriaId": "0BB29D8D-8287-4B5B-967F-55DCA0C0ED2B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:17:*:*:*:*:*:*:*",
"matchCriteriaId": "2DA9D861-3EAF-42F5-B0B6-A4CD7BDD6188",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de Omisi\u00f3n de Seguridad en PolarSSL versiones 0.99pre4 hasta 1.1.1, debido a un error de cifrado d\u00e9bil cuando se generan valores Diffie-Hellman y claves RSA."
}
],
"id": "CVE-2012-2130",
"lastModified": "2024-11-21T01:38:33.657",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-06T18:15:10.310",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-326"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-8036
Vulnerability from fkie_nvd - Published: 2015-11-02 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| arm | mbed_tls | * | |
| arm | mbed_tls | * | |
| polarssl | polarssl | * | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 21 | |
| opensuse | opensuse | 13.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CF74B3-EE14-4615-85C5-196306A17171",
"versionEndExcluding": "1.3.14",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299E0E3C-D91B-4AD9-9679-391FC6DDC515",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "011FF886-C20F-4577-8660-2462CFA25068",
"versionEndIncluding": "1.2.17",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges."
},
{
"lang": "es",
"value": "Vulnerabilidad de desbordamiento de buffer basado en memoria en ARM mbed TLS (anteriormente PolarSSL) 1.3.x en versiones anteriores a 1.3.14 y 2.x en versiones anteriores a 2.1.2 permite a servidores SSL remotos provocar una denegaci\u00f3n de servicio (ca\u00edda del cliente) y posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de un nombre largo de ticket de sesi\u00f3n para la extensi\u00f3n del ticket de sesi\u00f3n, el cual no es manejado correctamente cuando se crea un mensaje ClientHello para reanudar una sesi\u00f3n. NOTA: este identificador fue SEPARADO de CVE-2015-5291 por ADT3 debido a los diferentes intervalos de versi\u00f3n afectados."
}
],
"id": "CVE-2015-8036",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-11-02T19:59:16.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5291
Vulnerability from fkie_nvd - Published: 2015-11-02 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| arm | mbed_tls | * | |
| arm | mbed_tls | * | |
| polarssl | polarssl | * | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 | |
| fedoraproject | fedora | 21 | |
| fedoraproject | fedora | 22 | |
| fedoraproject | fedora | 23 | |
| opensuse | leap | 42.1 | |
| opensuse | opensuse | 13.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A8CF74B3-EE14-4615-85C5-196306A17171",
"versionEndExcluding": "1.3.14",
"versionStartIncluding": "1.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299E0E3C-D91B-4AD9-9679-391FC6DDC515",
"versionEndExcluding": "2.1.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA81DF90-35D1-43B7-9AEA-9B054EAACB9C",
"versionEndExcluding": "1.2.17",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*",
"matchCriteriaId": "253C303A-E577-4488-93E6-68A8DD942C38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*",
"matchCriteriaId": "E79AB8DD-C907-4038-A931-1A5A4CFB6A5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4863BE36-D16A-4D75-90D9-FD76DB5B48B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0."
},
{
"lang": "es",
"value": "Vulnerabilidad de desbordamiento de buffer basado en memoria en PolarSSL 1.x en versiones anteriores a 1.2.17 y ARM mbed TLS (anteriormente PolarSSL) 1.3.x en versiones anteriores a 1.3.14 y 2.x en versiones anteriores a 2.1.2 permite a servidores remotos SSL provocar una denegaci\u00f3n de servicio (ca\u00edda de cliente) y posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de una extensi\u00f3n larga de hostname para el indicador del nombre del servidor (SNI), el cual no es manejado correctamente cuando se crea un mensaje ClientHello. NOTA: este identificador ha sido SEPARADO por ADT3 debido a los diferentes intervalos de versi\u00f3n afectados. Ver CVE-2015-8036 para el problema del ticket de sesi\u00f3n que fue introducido en 1.3.0."
}
],
"id": "CVE-2015-5291",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-11-02T19:59:05.123",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-9744
Vulnerability from fkie_nvd - Published: 2015-08-24 15:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "85DCC4A4-8FFE-44FB-945B-775D1B6D3BD2",
"versionEndIncluding": "1.3.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions."
},
{
"lang": "es",
"value": "Vulnerabilidad de fuga de memoria en PolarSSL en versiones anteriores a 1.3.9, permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de una gran cantidad de mensajes CLientHello. NOTA: este identificador ha sido SEPARADO de CVE-2014-8628 por ADT3 debido a las diferentes versiones afectadas."
}
],
"id": "CVE-2014-9744",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-08-24T15:59:03.213",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8628
Vulnerability from fkie_nvd - Published: 2015-08-24 15:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21C4BF72-F3E9-49F7-BC63-55D85D82EC63",
"versionEndIncluding": "1.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9400165F-7CA8-43B6-9C18-A9B68960C69D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F27E26E-D912-462A-AE70-90AA058B9DDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB54854-6DC9-44B9-A94A-671C17C1F0A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "495BE6FC-806F-489E-85EF-5F6CF3E6B068",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E56EC828-5984-4800-B366-3E3A2ED4A397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0A5B11-E428-4B81-8125-4C26DC42733F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B085B300-6A08-4649-AB6A-167761D3138A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F43435-B2E1-4CF5-A7B7-0FD50C905783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A69FA32E-55FE-4F00-B209-D31B88986B5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue."
},
{
"lang": "es",
"value": "Vulnerabilidad de fuga de memoria en PolarSSL en versiones anteriores a 1.2.12 y 1.3.x en versiones anteriores a 1.3.9, permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de memoria) a trav\u00e9s de una gran cantidad de certificados X.509 manipulados. NOTA: este identificador ha sido SEPARADO por ADT3 debido a las diferentes versiones afectadas. Ver CVE-2014-9744 para el caso de mensaje ClientHello."
}
],
"id": "CVE-2014-8628",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-08-24T15:59:00.090",
"references": [
{
"source": "security@opentext.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "security@opentext.com",
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"source": "security@opentext.com",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
},
{
"source": "security@opentext.com",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"sourceIdentifier": "security@opentext.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-1182
Vulnerability from fkie_nvd - Published: 2015-01-27 20:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opensuse | opensuse | 13.2 | |
| polarssl | polarssl | 1.0.0 | |
| polarssl | polarssl | 1.1.0 | |
| polarssl | polarssl | 1.1.0 | |
| polarssl | polarssl | 1.1.0 | |
| polarssl | polarssl | 1.1.1 | |
| polarssl | polarssl | 1.1.2 | |
| polarssl | polarssl | 1.1.3 | |
| polarssl | polarssl | 1.1.4 | |
| polarssl | polarssl | 1.1.5 | |
| polarssl | polarssl | 1.1.6 | |
| polarssl | polarssl | 1.1.7 | |
| polarssl | polarssl | 1.1.8 | |
| polarssl | polarssl | 1.2.0 | |
| polarssl | polarssl | 1.2.1 | |
| polarssl | polarssl | 1.2.2 | |
| polarssl | polarssl | 1.2.3 | |
| polarssl | polarssl | 1.2.4 | |
| polarssl | polarssl | 1.2.5 | |
| polarssl | polarssl | 1.2.6 | |
| polarssl | polarssl | 1.2.7 | |
| polarssl | polarssl | 1.2.8 | |
| polarssl | polarssl | 1.2.9 | |
| polarssl | polarssl | 1.2.10 | |
| polarssl | polarssl | 1.2.11 | |
| polarssl | polarssl | 1.2.12 | |
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.1 | |
| polarssl | polarssl | 1.3.2 | |
| polarssl | polarssl | 1.3.3 | |
| polarssl | polarssl | 1.3.4 | |
| polarssl | polarssl | 1.3.5 | |
| polarssl | polarssl | 1.3.6 | |
| polarssl | polarssl | 1.3.7 | |
| polarssl | polarssl | 1.3.8 | |
| polarssl | polarssl | 1.3.9 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*",
"matchCriteriaId": "03117DF1-3BEC-4B8D-AD63-DBBDB2126081",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E25A1C90-15E9-4577-B25D-855D48C4F4E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18BC3056-6CF9-4C6A-9F03-C8812CA10AF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*",
"matchCriteriaId": "02CE9326-279B-4CFE-8FBD-4450793D9C67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "7513F8AC-A847-412D-B657-9426E4C6C020",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE920F-DBD6-4D01-87E1-26FA10101692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C6F1E192-D0F2-476E-A7A9-AFB031687533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2F9DDE3F-26AE-41E0-9433-E5C018C699E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "40F9819E-798E-4DA6-A7E4-39A85B68A5F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E9001635-AA9C-4165-B021-2B296CF6DE1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D105753-A704-4BF4-BD7A-99985911B943",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5464618A-E70D-4C11-A8BE-9827AD2F3EDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "8C3FE7E6-8199-4C93-8BAB-FADA297D1BF4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CF482DF-9F5C-45D6-AA5E-D9163A710AAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5152886-DFBB-415C-99E0-A7E645A5F86B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C5BD989E-FC1D-44D2-9394-C36AD18325DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AE349CDB-AE50-4043-86EF-1CED401AAEFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "48FAB18E-F1C9-46B2-985E-28AC2736DB3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7C453569-3736-4FC3-87FE-8282A1572CA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E86CC3C2-C0D0-420A-97FA-1862B9CF2CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "67CE5D3D-FE2C-403E-9A90-43CB04A96CD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "229B9538-A16D-4572-B9CA-5FA2E4B56D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "0E3F98E8-E610-41BC-949A-09382B612D16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "4322DC6C-E4B6-4561-B4E5-3877917FABB6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "4AFBCD38-BAC7-4144-AED2-A93201607B65",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "226B0E63-062C-47F0-AF63-42028145CA8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9400165F-7CA8-43B6-9C18-A9B68960C69D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "9E55CFB7-DD01-49EB-87CC-B7CC76B2B638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:rc0:*:*:*:*:*:*",
"matchCriteriaId": "AD884F2C-3E94-4815-A035-E1134E55991F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F27E26E-D912-462A-AE70-90AA058B9DDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB54854-6DC9-44B9-A94A-671C17C1F0A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "495BE6FC-806F-489E-85EF-5F6CF3E6B068",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E56EC828-5984-4800-B366-3E3A2ED4A397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0A5B11-E428-4B81-8125-4C26DC42733F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B085B300-6A08-4649-AB6A-167761D3138A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F43435-B2E1-4CF5-A7B7-0FD50C905783",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A69FA32E-55FE-4F00-B209-D31B88986B5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1AC41F8B-F625-4969-9289-4AB1B60BD9B8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate."
},
{
"lang": "es",
"value": "La funci\u00f3n asn1_get_sequence_of en library/asn1parse.c en PolarSSL 1.0 hasta 1.2.12 y 1.3.x hasta 1.3.9 no inicializa correctamente un puntero en la lista vinculada asn1_sequence, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (ca\u00edda) o posiblemente ejecutar c\u00f3digo arbitrario a trav\u00e9s de una secuencias ASN.1 manipulada en un certificado."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/824.html\"\u003eCWE-824: Access of Uninitialized Pointer\u003c/a\u003e",
"id": "CVE-2015-1182",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-01-27T20:59:14.277",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/62270"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/62610"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/62270"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/62610"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/201801-15"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-8627
Vulnerability from fkie_nvd - Published: 2014-11-24 15:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A69FA32E-55FE-4F00-B209-D31B88986B5E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors."
},
{
"lang": "es",
"value": "PolarSSL 1.3.8 no negocia debidamente el algoritmo de la firma que utilizar, lo que permite a atacantes remotos realizar ataques de degradaci\u00f3n a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-8627",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-24T15:59:11.060",
"references": [
{
"source": "security@opentext.com",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "security@opentext.com",
"url": "http://secunia.com/advisories/61220"
},
{
"source": "security@opentext.com",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61220"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"sourceIdentifier": "security@opentext.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-4911
Vulnerability from fkie_nvd - Published: 2014-07-22 14:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.0 | |
| polarssl | polarssl | 1.3.1 | |
| polarssl | polarssl | 1.3.2 | |
| polarssl | polarssl | 1.3.3 | |
| polarssl | polarssl | 1.3.4 | |
| polarssl | polarssl | 1.3.5 | |
| polarssl | polarssl | 1.3.6 | |
| polarssl | polarssl | 1.3.7 | |
| polarssl | polarssl | * | |
| polarssl | polarssl | 1.2.0 | |
| polarssl | polarssl | 1.2.1 | |
| polarssl | polarssl | 1.2.2 | |
| polarssl | polarssl | 1.2.3 | |
| polarssl | polarssl | 1.2.4 | |
| polarssl | polarssl | 1.2.5 | |
| polarssl | polarssl | 1.2.6 | |
| polarssl | polarssl | 1.2.7 | |
| polarssl | polarssl | 1.2.8 | |
| polarssl | polarssl | 1.2.9 | |
| debian | debian_linux | 6.0 | |
| debian | debian_linux | 7.0 | |
| debian | debian_linux | 8.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9400165F-7CA8-43B6-9C18-A9B68960C69D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "9E55CFB7-DD01-49EB-87CC-B7CC76B2B638",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.0:rc0:*:*:*:*:*:*",
"matchCriteriaId": "AD884F2C-3E94-4815-A035-E1134E55991F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5F27E26E-D912-462A-AE70-90AA058B9DDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FEB54854-6DC9-44B9-A94A-671C17C1F0A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "495BE6FC-806F-489E-85EF-5F6CF3E6B068",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "E56EC828-5984-4800-B366-3E3A2ED4A397",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DC0A5B11-E428-4B81-8125-4C26DC42733F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B085B300-6A08-4649-AB6A-167761D3138A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E1F43435-B2E1-4CF5-A7B7-0FD50C905783",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "963DEE80-E81A-4559-BBF9-4A7970F59A6A",
"versionEndIncluding": "1.2.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8CF482DF-9F5C-45D6-AA5E-D9163A710AAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "F5152886-DFBB-415C-99E0-A7E645A5F86B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C5BD989E-FC1D-44D2-9394-C36AD18325DE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "AE349CDB-AE50-4043-86EF-1CED401AAEFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "48FAB18E-F1C9-46B2-985E-28AC2736DB3F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7C453569-3736-4FC3-87FE-8282A1572CA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E86CC3C2-C0D0-420A-97FA-1862B9CF2CE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "67CE5D3D-FE2C-403E-9A90-43CB04A96CD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "229B9538-A16D-4572-B9CA-5FA2E4B56D8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "0E3F98E8-E610-41BC-949A-09382B612D16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "036E8A89-7A16-411F-9D31-676313BB7244",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit."
},
{
"lang": "es",
"value": "La funci\u00f3n ssl_decrypt_buf en library/ssl_tls.c en PolarSSL anterior a 1.2.11 y 1.3.x anterior a 1.3.8 permite a atacantes remotos causar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de vectores relacionados con los suites de cifrado GCM, tal y como fue demostrado al utilizar el juego de herramientas Codenomicon Defensics."
}
],
"id": "CVE-2014-4911",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-07-22T14:55:09.817",
"references": [
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/60215"
},
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/60215"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-5914
Vulnerability from fkie_nvd - Published: 2013-10-26 17:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:polarssl:polarssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83F793ED-6FDD-42F4-B87F-47A4D8D905A0",
"versionEndIncluding": "1.1.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E25A1C90-15E9-4577-B25D-855D48C4F4E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "18BC3056-6CF9-4C6A-9F03-C8812CA10AF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:rc0:*:*:*:*:*:*",
"matchCriteriaId": "02CE9326-279B-4CFE-8FBD-4450793D9C67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "7513F8AC-A847-412D-B657-9426E4C6C020",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "88CE920F-DBD6-4D01-87E1-26FA10101692",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C6F1E192-D0F2-476E-A7A9-AFB031687533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2F9DDE3F-26AE-41E0-9433-E5C018C699E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "40F9819E-798E-4DA6-A7E4-39A85B68A5F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "E9001635-AA9C-4165-B021-2B296CF6DE1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:polarssl:polarssl:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "1D105753-A704-4BF4-BD7A-99985911B943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet."
},
{
"lang": "es",
"value": "Buffer overflow en la func\u00f3n ssl_read_record en ssl_tls.c de PolarSSL anterior a la versi\u00f3n 1.1.8, cuando se utiliza TLS 1.1, podr\u00eda permitir a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un paquete largo."
}
],
"id": "CVE-2013-5914",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-26T17:55:03.417",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2013/dsa-2782"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2782"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-119"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2011-4574 (GCVE-0-2011-4574)
Vulnerability from cvelistv5 – Published: 2021-10-27 00:52 – Updated: 2024-08-07 00:09
VLAI?
Summary
PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:19.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PolarSSL",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PolarSSL 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor\u0027s high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T00:52:57",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-4574",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PolarSSL",
"version": {
"version_data": [
{
"version_value": "PolarSSL 1.1.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor\u0027s high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-338"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02",
"refsource": "MISC",
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4574",
"datePublished": "2021-10-27T00:52:57",
"dateReserved": "2011-11-29T00:00:00",
"dateUpdated": "2024-08-07T00:09:19.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2130 (GCVE-0-2012-2130)
Vulnerability from cvelistv5 – Published: 2019-12-06 17:13 – Updated: 2024-08-06 19:26
VLAI?
Summary
A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys.
Severity ?
No CVSS data available.
CWE
- weak key generation in 0.99pre4 throught to 1.1.1
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "polarssl",
"vendor": "polarssl",
"versions": [
{
"status": "affected",
"version": "0.99pre4 through 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "weak key generation in 0.99pre4 throught to 1.1.1",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-06T17:13:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2130",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "polarssl",
"version": {
"version_data": [
{
"version_value": "0.99pre4 through 1.1.1"
}
]
}
}
]
},
"vendor_name": "polarssl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "weak key generation in 0.99pre4 throught to 1.1.1"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-2130",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"name": "http://security.gentoo.org/glsa/glsa-201310-10.xml",
"refsource": "MISC",
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"name": "http://www.securityfocus.com/bid/53610",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/53610"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2130",
"datePublished": "2019-12-06T17:13:26",
"dateReserved": "2012-04-04T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5291 (GCVE-0-2015-5291)
Vulnerability from cvelistv5 – Published: 2015-11-02 19:00 – Updated: 2024-08-06 06:41
VLAI?
Summary
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5291",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3468",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"name": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf",
"refsource": "MISC",
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"name": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/",
"refsource": "MISC",
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01",
"refsource": "CONFIRM",
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5291",
"datePublished": "2015-11-02T19:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:09.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8036 (GCVE-0-2015-8036)
Vulnerability from cvelistv5 – Published: 2015-11-02 19:00 – Updated: 2024-08-06 08:06
VLAI?
Summary
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:06:31.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8036",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3468",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"name": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf",
"refsource": "MISC",
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"name": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/",
"refsource": "MISC",
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01",
"refsource": "CONFIRM",
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8036",
"datePublished": "2015-11-02T19:00:00",
"dateReserved": "2015-11-02T00:00:00",
"dateUpdated": "2024-08-06T08:06:31.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8628 (GCVE-0-2014-8628)
Vulnerability from cvelistv5 – Published: 2015-08-24 15:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:37",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"ID": "CVE-2014-8628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2014-8628",
"datePublished": "2015-08-24T15:00:00",
"dateReserved": "2014-11-06T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9744 (GCVE-0-2014-9744)
Vulnerability from cvelistv5 – Published: 2015-08-24 15:00 – Updated: 2024-09-16 18:33
VLAI?
Summary
Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-08-24T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9744",
"datePublished": "2015-08-24T15:00:00Z",
"dateReserved": "2015-08-24T00:00:00Z",
"dateUpdated": "2024-09-16T18:33:17.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1182 (GCVE-0-2015-1182)
Vulnerability from cvelistv5 – Published: 2015-01-27 15:00 – Updated: 2024-08-06 04:33
VLAI?
Summary
The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:33:20.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2015-0991",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/62610"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-15T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "FEDORA-2015-0991",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/62610"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2015-0991",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/62610"
},
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3136"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1182",
"datePublished": "2015-01-27T15:00:00",
"dateReserved": "2015-01-17T00:00:00",
"dateUpdated": "2024-08-06T04:33:20.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8627 (GCVE-0-2014-8627)
Vulnerability from cvelistv5 – Published: 2014-11-24 15:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:35",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61220"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"ID": "CVE-2014-8627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61220"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2014-8627",
"datePublished": "2014-11-24T15:00:00",
"dateReserved": "2014-11-06T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4911 (GCVE-0-2014-4911)
Vulnerability from cvelistv5 – Published: 2014-07-22 14:00 – Updated: 2024-08-06 11:27
VLAI?
Summary
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:27:37.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-23T12:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/60215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4911",
"datePublished": "2014-07-22T14:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:27:37.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5914 (GCVE-0-2013-5914)
Vulnerability from cvelistv5 – Published: 2013-10-26 17:00 – Updated: 2024-09-16 16:38
VLAI?
Summary
Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:41.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2782"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-26T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2782"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2013/dsa-2782"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5914",
"datePublished": "2013-10-26T17:00:00Z",
"dateReserved": "2013-09-19T00:00:00Z",
"dateUpdated": "2024-09-16T16:38:29.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4574 (GCVE-0-2011-4574)
Vulnerability from nvd – Published: 2021-10-27 00:52 – Updated: 2024-08-07 00:09
VLAI?
Summary
PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:19.410Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PolarSSL",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PolarSSL 1.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor\u0027s high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-338",
"description": "CWE-338",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-27T00:52:57",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-4574",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PolarSSL",
"version": {
"version_data": [
{
"version_value": "PolarSSL 1.1.0"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PolarSSL versions prior to v1.1 use the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor\u0027s high resolution timer (the RDTSC instruction). This instruction can be virtualized, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-338"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02",
"refsource": "MISC",
"url": "https://tls.mbed.org/tech-updates/security-advisories/polarssl-security-advisory-2011-02"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-4574",
"datePublished": "2021-10-27T00:52:57",
"dateReserved": "2011-11-29T00:00:00",
"dateUpdated": "2024-08-07T00:09:19.410Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2130 (GCVE-0-2012-2130)
Vulnerability from nvd – Published: 2019-12-06 17:13 – Updated: 2024-08-06 19:26
VLAI?
Summary
A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys.
Severity ?
No CVSS data available.
CWE
- weak key generation in 0.99pre4 throught to 1.1.1
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.407Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "polarssl",
"vendor": "polarssl",
"versions": [
{
"status": "affected",
"version": "0.99pre4 through 1.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "weak key generation in 0.99pre4 throught to 1.1.1",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-06T17:13:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/53610"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2130",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "polarssl",
"version": {
"version_data": [
{
"version_value": "0.99pre4 through 1.1.1"
}
]
}
}
]
},
"vendor_name": "polarssl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Security Bypass vulnerability exists in PolarSSL 0.99pre4 through 1.1.1 due to a weak encryption error when generating Diffie-Hellman values and RSA keys."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "weak key generation in 0.99pre4 throught to 1.1.1"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2012-2130",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2012-2130"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2130"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=CVE-2012-2130"
},
{
"name": "http://security.gentoo.org/glsa/glsa-201310-10.xml",
"refsource": "MISC",
"url": "http://security.gentoo.org/glsa/glsa-201310-10.xml"
},
{
"name": "http://www.securityfocus.com/bid/53610",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/53610"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75726"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2130",
"datePublished": "2019-12-06T17:13:26",
"dateReserved": "2012-04-04T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.407Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5291 (GCVE-0-2015-5291)
Vulnerability from nvd – Published: 2015-11-02 19:00 – Updated: 2024-08-06 06:41
VLAI?
Summary
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:41:09.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-06-30T16:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-5291",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3468",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"name": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf",
"refsource": "MISC",
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"name": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/",
"refsource": "MISC",
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "FEDORA-2015-e22bb33731",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170317.html"
},
{
"name": "FEDORA-2015-7f939b3af5",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169765.html"
},
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01",
"refsource": "CONFIRM",
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2015:2257",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00013.html"
},
{
"name": "GLSA-201706-18",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201706-18"
},
{
"name": "openSUSE-SU-2015:2371",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-12/msg00119.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-5291",
"datePublished": "2015-11-02T19:00:00",
"dateReserved": "2015-07-01T00:00:00",
"dateUpdated": "2024-08-06T06:41:09.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8036 (GCVE-0-2015-8036)
Vulnerability from nvd – Published: 2015-11-02 19:00 – Updated: 2024-08-06 08:06
VLAI?
Summary
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:06:31.616Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-10-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-02T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3468",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8036",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3468",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3468"
},
{
"name": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf",
"refsource": "MISC",
"url": "https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf"
},
{
"name": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/",
"refsource": "MISC",
"url": "https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/"
},
{
"name": "FEDORA-2015-30a417bea9",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html"
},
{
"name": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01",
"refsource": "CONFIRM",
"url": "https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01"
},
{
"name": "openSUSE-SU-2016:1928",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8036",
"datePublished": "2015-11-02T19:00:00",
"dateReserved": "2015-11-02T00:00:00",
"dateUpdated": "2024-08-06T08:06:31.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8628 (GCVE-0-2014-8628)
Vulnerability from nvd – Published: 2015-08-24 15:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:37",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@microfocus.com",
"ID": "CVE-2014-8628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leak in PolarSSL before 1.2.12 and 1.3.x before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of crafted X.509 certificates. NOTE: this identifier has been SPLIT per ADT3 due to different affected versions. See CVE-2014-9744 for the ClientHello message issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "DSA-3116",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3116"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.12-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2014-8628",
"datePublished": "2015-08-24T15:00:00",
"dateReserved": "2014-11-06T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9744 (GCVE-0-2014-9744)
Vulnerability from nvd – Published: 2015-08-24 15:00 – Updated: 2024-09-16 18:33
VLAI?
Summary
Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-08-24T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9744",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory leak in PolarSSL before 1.3.9 allows remote attackers to cause a denial of service (memory consumption) via a large number of ClientHello messages. NOTE: this identifier was SPLIT from CVE-2014-8628 per ADT3 due to different affected versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9744",
"datePublished": "2015-08-24T15:00:00Z",
"dateReserved": "2015-08-24T00:00:00Z",
"dateUpdated": "2024-09-16T18:33:17.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1182 (GCVE-0-2015-1182)
Vulnerability from nvd – Published: 2015-01-27 15:00 – Updated: 2024-08-06 04:33
VLAI?
Summary
The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:33:20.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "FEDORA-2015-0991",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/62610"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-15T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "FEDORA-2015-0991",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/62610"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3136"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1182",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "FEDORA-2015-0991",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148829.html"
},
{
"name": "62270",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/62270"
},
{
"name": "FEDORA-2015-1045",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148903.html"
},
{
"name": "openSUSE-SU-2015:0186",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00003.html"
},
{
"name": "GLSA-201801-15",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201801-15"
},
{
"name": "62610",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/62610"
},
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-04"
},
{
"name": "DSA-3136",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3136"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1182",
"datePublished": "2015-01-27T15:00:00",
"dateReserved": "2015-01-17T00:00:00",
"dateUpdated": "2024-08-06T04:33:20.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8627 (GCVE-0-2014-8627)
Vulnerability from nvd – Published: 2014-11-24 15:00 – Updated: 2024-08-06 13:26
VLAI?
Summary
PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:26:02.135Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61220"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-10-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-06T16:15:35",
"orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"shortName": "microfocus"
},
"references": [
{
"name": "openSUSE-SU-2014:1457",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61220"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@suse.com",
"ID": "CVE-2014-8627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "openSUSE-SU-2014:1457",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-11/msg00079.html"
},
{
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.3.9-released"
},
{
"name": "61220",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61220"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
"assignerShortName": "microfocus",
"cveId": "CVE-2014-8627",
"datePublished": "2014-11-24T15:00:00",
"dateReserved": "2014-11-06T00:00:00",
"dateUpdated": "2024-08-06T13:26:02.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4911 (GCVE-0-2014-4911)
Vulnerability from nvd – Published: 2014-07-22 14:00 – Updated: 2024-08-06 11:27
VLAI?
Summary
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:27:37.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/60215"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-07-23T12:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/60215"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4911",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2014-02"
},
{
"name": "DSA-2981",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2981"
},
{
"name": "60215",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/60215"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4911",
"datePublished": "2014-07-22T14:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:27:37.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5914 (GCVE-0-2013-5914)
Vulnerability from nvd – Published: 2013-10-26 17:00 – Updated: 2024-09-16 16:38
VLAI?
Summary
Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:41.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2013/dsa-2782"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-26T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2013/dsa-2782"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5914",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Buffer overflow in the ssl_read_record function in ssl_tls.c in PolarSSL before 1.1.8, when using TLS 1.1, might allow remote attackers to execute arbitrary code via a long packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04",
"refsource": "CONFIRM",
"url": "https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-04"
},
{
"name": "DSA-2782",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2013/dsa-2782"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5914",
"datePublished": "2013-10-26T17:00:00Z",
"dateReserved": "2013-09-19T00:00:00Z",
"dateUpdated": "2024-09-16T16:38:29.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}