openssl · threatengine.sh

CVE-2026-31790

>= 3.0.0 and < 3.0.20

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitiali

7.5HIGH

CVE-2026-31789

>= 3.0.0 and < 3.0.20

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bi

9.8CRITICAL

CVE-2026-28390

>= 1.0.2 and < 1.0.2zp

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference

7.5HIGH

CVE-2026-28389

>= 1.0.2 and < 1.0.2zp

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can

7.5HIGH

CVE-2026-28388

>= 1.0.2 and < 1.0.2zp

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen

7.5HIGH

CVE-2026-28387

>= 1.1.1 and < 1.1.1zg

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon se

8.1HIGH

CVE-2026-28386

>= 3.6.0 and < 3.6.2

Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-

7.5HIGH

CVE-2026-22796

>= 1.0.2 and < 1.0.2zn

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union

5.3MEDIUM

CVE-2026-22795

>= 1.1.1 and < 1.1.1ze

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact su

5.5MEDIUM

CVE-2025-69421

>= 1.0.2 and < 1.0.2zn

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() func

7.5HIGH

CVE-2025-69420

>= 1.1.1 and < 1.1.1ze

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member i

7.5HIGH

CVE-2025-69419

>= 1.1.1 and < 1.1.1ze

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friend

7.4HIGH

CVE-2025-69418

>= 1.1.1 and < 1.1.1ze

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose len

4.0MEDIUM

CVE-2025-68160

>= 1.0.2 and < 1.0.2zn

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short

4.7MEDIUM

CVE-2025-66199

>= 3.3.0 and < 3.3.6

Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression wi

5.9MEDIUM

CVE-2025-15469

>= 3.5.0 and < 3.5.5

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms a

5.5MEDIUM

CVE-2025-15468

>= 3.3.0 and < 3.3.6

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown ciph

5.9MEDIUM

CVE-2025-15467

>= 3.0.0 and < 3.0.19

Issue summary: Parsing CMS AuthEnvelopedData or EnvelopedData message with maliciously crafted AEAD parameters can trigger a stack

8.8HIGH

CVE-2025-11187

>= 3.4.0 and < 3.4.4

Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid

6.1MEDIUM

CVE-2023-53159

< 0.10.55

The openssl crate before 0.10.55 for Rust allows an out-of-bounds read via an empty string to X509VerifyParamRef::set_host.

4.5MEDIUM

CVE-2025-4575

all versions

Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certi

6.5MEDIUM

CVE-2024-6119

>= 3.0.0 and < 3.0.15

Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to rea

7.5HIGH

CVE-2024-0727

>= 1.0.2 and < 1.0.2zj

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service a

5.5MEDIUM

CVE-2023-6129

>= 3.0.0 and <= 3.0.12

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state

6.5MEDIUM

CVE-2023-5678

>= 1.0.2 and < 1.0.2zj

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow

5.3MEDIUM

CVE-2023-5363

>= 3.0.0 and < 3.0.12

Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potent

7.5HIGH

CVE-2023-4807

>= 1.1.1 and < 1.1.1w

Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state

7.8HIGH

CVE-2023-3817

>= 3.0.0 and < 3.0.10

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functi

5.3MEDIUM

CVE-2023-3446

all versions

Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functi

5.3MEDIUM

CVE-2023-2975

>= 3.0.0 and <= 3.0.9

Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are u

5.3MEDIUM

CVE-2023-2650

>= 1.0.2 and < 1.0.2zh

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summar

6.5MEDIUM

CVE-2023-1255

>= 3.0.0 and < 3.0.9

Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read pas

5.9MEDIUM

CVE-2023-0466

>= 1.0.2 and < 1.0.2zh

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificat

5.3MEDIUM

CVE-2023-0465

>= 1.0.2 and < 1.0.2zh

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circu

5.3MEDIUM

CVE-2023-0464

>= 1.0.2 and < 1.0.2zh

A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificat

7.5HIGH

CVE-2022-4203

>= 3.0.0 and < 3.0.8

A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this

4.9MEDIUM

CVE-2023-0401

>= 3.0.0 and <= 3.0.7

A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash

7.5HIGH

CVE-2023-0286

>= 1.0.2 and < 1.0.2zg

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were par

7.4HIGH

CVE-2023-0217

>= 3.0.0 and <= 3.0.7

An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_P

7.5HIGH

CVE-2023-0216

>= 3.0.0 and <= 3.0.7

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(

7.5HIGH

CVE-2023-0215

>= 1.0.2 and < 1.0.2zg

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally

7.5HIGH

CVE-2022-4450

>= 1.1.1 and < 1.1.1t

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data

7.5HIGH

CVE-2022-4304

>= 1.0.2 and < 1.0.2zg

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext a

5.9MEDIUM

CVE-2022-3996

>= 3.0.0 and <= 3.0.7

If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken t

7.5HIGH

CVE-2022-3786

>= 3.0.0 and < 3.0.7

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occu

7.5HIGH

CVE-2022-3602

>= 3.0.0 and < 3.0.7

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occu

7.5HIGH

CVE-2022-3358

>= 3.0.0 and < 3.0.6

OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This functi

7.5HIGH

CVE-2022-2097

>= 1.1.1 and < 1.1.1q

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data

5.3MEDIUM

CVE-2022-2274

all versions

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instruction

9.8CRITICAL

CVE-2022-2068

>= 1.0.2 and < 1.0.2zf

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script d

7.3HIGH

CVE-2022-1473

>= 3.0.0 and < 3.0.3

The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the remov

7.5HIGH

CVE-2022-1434

>= 3.0.0 and < 3.0.3

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key tri

5.9MEDIUM

CVE-2022-1343

>= 3.0.0 and < 3.0.3

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCS

5.3MEDIUM

CVE-2022-1292

>= 1.0.2 and < 1.0.2ze

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by so

7.3HIGH

CVE-2022-0778

>= 1.0.2 and < 1.0.2zd

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime m

7.5HIGH

CVE-2021-4160

>= 1.0.2 and <= 1.0.2zb

There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of t

5.9MEDIUM

CVE-2021-4044

< 1.0.2

Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That functi

7.5HIGH

CVE-2021-3712

>= 1.0.2 and < 1.0.2za

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string dat

7.4HIGH

CVE-2021-3711

>= 1.1.1 and < 1.1.1l

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an applic

9.8CRITICAL

CVE-2021-3450

>= 1.1.1h and < 1.1.1k

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not

7.4HIGH

CVE-2021-3449

>= 1.1.1 and < 1.1.1k

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renego

5.9MEDIUM

CVE-2021-23841

>= 1.0.2 and < 1.0.2y

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and seria

5.9MEDIUM

CVE-2021-23840

>= 1.0.2 and < 1.0.2y

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the

7.5HIGH

CVE-2021-23839

>= 1.0.2s and <= 1.0.2x

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and m

3.7LOW

CVE-2020-1971

>= 1.0.2 and < 1.0.2x

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPar

5.9MEDIUM

CVE-2020-1968

>= 1.0.2 and <= 1.0.2v

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master sec

3.7LOW

CVE-2020-1967

>= 1.1.1d and <= 1.1.1f

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL

7.5HIGH

CVE-2019-1551

>= 1.0.2 and <= 1.0.2t

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms

5.3MEDIUM

CVE-2019-1563

>= 1.0.2 and <= 1.0.2s

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, aft

3.7LOW

CVE-2019-1549

>= 1.1.1 and <= 1.1.1c

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork

5.3MEDIUM

CVE-2019-1547

>= 1.0.2 and <= 1.0.2s

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in s

4.7MEDIUM

CVE-2019-1552

>= 1.0.2 and <= 1.0.2s

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verific

3.3LOW

CVE-2019-1543

>= 1.1.0 and <= 1.1.0j

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the

7.4HIGH

CVE-2019-1559

>= 1.0.2 and < 1.0.2r

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to

5.9MEDIUM

CVE-2018-16395

< 2.1.2

An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.

9.8CRITICAL

CVE-2018-5407

>= 1.0.2 and < 1.0.2q

Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a sid

4.7MEDIUM

CVE-2018-0734

>= 1.0.2 and <= 1.0.2p

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variati

5.9MEDIUM

CVE-2018-0735

>= 1.1.0 and <= 1.1.0i

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use varia

5.9MEDIUM

CVE-2016-7056

<= 1.0.1u

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P

5.5MEDIUM

CVE-2018-0732

>= 1.0.2 and <= 1.0.2o

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to th

7.5HIGH

CVE-2018-0737

>= 1.0.2b and <= 1.0.2o

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with s

5.9MEDIUM

CVE-2018-0739

>= 1.0.2b and <= 1.0.2n

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malici

6.5MEDIUM

CVE-2018-0733

>= 1.1.0 and <= 1.1.0g

Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant

5.9MEDIUM

CVE-2017-3738

all versions

There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algori

5.9MEDIUM

CVE-2017-3737

all versions

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred

5.9MEDIUM

CVE-2016-8610

>= 1.0.2 and <= 1.0.2h

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol define

7.5HIGH

CVE-2017-3736

>= 1.0.2 and < 1.0.2m

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No

6.5MEDIUM

CVE-2017-3735

all versions

While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in

5.3MEDIUM

CVE-2016-7055

>= 1.0.2 and < 1.0.2k

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1

5.9MEDIUM

CVE-2017-3733

all versions

During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vi

7.5HIGH

CVE-2017-3732

all versions

There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0

5.9MEDIUM

CVE-2017-3731

all versions

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause

7.5HIGH

CVE-2017-3730

all versions

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result

7.5HIGH

CVE-2016-7054

all versions

In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupti

7.5HIGH

CVE-2016-7053

all versions

In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is cau

7.5HIGH

CVE-2016-7798

< 2.0.0

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which

7.5HIGH

CVE-2016-7052

all versions

crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and applic

7.5HIGH

CVE-2016-6309

all versions

statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to c

9.8CRITICAL

CVE-2016-6308

all versions

statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive l

5.9MEDIUM

CVE-2016-6307

all versions

The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which mi

5.9MEDIUM

CVE-2016-6306

all versions

The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service

5.9MEDIUM

CVE-2016-6305

all versions

The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of

7.5HIGH

CVE-2016-6304

all versions

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to

7.5HIGH

CVE-2016-6303

all versions

Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a

9.8CRITICAL

CVE-2016-6302

all versions

The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the t

7.5HIGH

CVE-2016-2182

all versions

The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows r

9.8CRITICAL

CVE-2016-2181

all versions

The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjuncti

7.5HIGH

CVE-2016-2179

all versions

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused ou

7.5HIGH

CVE-2016-2183

all versions

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bou

7.5HIGH

CVE-2016-2180

all versions

The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementatio

7.5HIGH

CVE-2016-2178

all versions

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time o

5.5MEDIUM

CVE-2016-2177

all versions

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to

9.8CRITICAL

CVE-2016-2176

<= 1.0.1s

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers

8.2HIGH

CVE-2016-2109

<= 1.0.1s

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before

7.5HIGH

CVE-2016-2108

<= 1.0.1n

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cau

9.8CRITICAL

CVE-2016-2107

<= 1.0.1s

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain pa

5.9MEDIUM

CVE-2016-2106

<= 1.0.1s

Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows

7.5HIGH

CVE-2016-2105

all versions

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows r

7.5HIGH

CVE-2000-1254

<= 0.9.5

crypto/rsa/rsa_gen.c in OpenSSL before 0.9.6 mishandles C bitwise-shift operations that exceed the size of an expression, which ma

7.5HIGH

CVE-2016-2842

all versions

The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a cer

9.8CRITICAL

CVE-2016-0799

all versions

The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string le

9.8CRITICAL

CVE-2016-0798

all versions

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attac

7.5HIGH

CVE-2016-0797

all versions

Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of serv

7.5HIGH

CVE-2016-0705

all versions

Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 befor

9.8CRITICAL

CVE-2016-0702

all versions

The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not

5.1MEDIUM

CVE-2016-0704

<= 0.9.8ze

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.

5.9MEDIUM

CVE-2016-0703

<= 0.9.8ze

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1

5.9MEDIUM

CVE-2016-0800

all versions

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a Serve

5.9MEDIUM

CVE-2016-0701

all versions

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are approp

3.7LOW

CVE-2015-3197

all versions

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easi

5.9MEDIUM

CVE-2015-3196

all versions

ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client,

CVE-2015-3195

< 0.9.8zh

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q

5.3MEDIUM

CVE-2015-3194

all versions

crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service

7.5HIGH

CVE-2015-3193

all versions

The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as

7.5HIGH

CVE-2015-1794

all versions

The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of serv

CVE-2015-1793

all versions

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.

6.5MEDIUM

CVE-2015-3216

all versions

Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distrib

CVE-2015-1792

<= 0.9.8zf

The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2

CVE-2015-1791

<= 0.9.8zf

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1

CVE-2015-1790

<= 0.9.8zf

The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1

CVE-2015-1789

<= 0.9.8zf

The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.

7.5HIGH

CVE-2015-1788

<= 0.9.8zf

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2

CVE-2014-8176

<= 0.9.8z

The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data

CVE-2015-4000

>= 1.0.1 and <= 1.0.1m

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly conv

3.7LOW

CVE-2015-1787

all versions

The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral

CVE-2015-0293

<= 0.9.8ze

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remot

CVE-2015-0292

<= 0.9.8z

Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before

CVE-2015-0291

all versions

The sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL p

CVE-2015-0290

all versions

The multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with A

CVE-2015-0289

<= 0.9.8ze

The PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not pr

CVE-2015-0288

<= 0.9.8ze

The X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1

CVE-2015-0287

<= 0.9.8ze

The ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1

CVE-2015-0286

<= 0.9.8ze

The ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2

CVE-2015-0285

all versions

The ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceedi

CVE-2015-0209

<= 0.9.8ze

Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0

CVE-2015-0208

all versions

The ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before

CVE-2015-0207

all versions

The dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independen

CVE-2015-0206

all versions

Memory leak in the dtls1_buffer_record function in d1_pkt.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k allows remote a

CVE-2015-0205

all versions

The ssl3_get_cert_verify function in s3_srvr.c in OpenSSL 1.0.0 before 1.0.0p and 1.0.1 before 1.0.1k accepts client authenticatio

CVE-2015-0204

<= 0.9.8zc

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows rem

CVE-2014-8275

<= 0.9.8zc

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, whi

CVE-2014-3572

<= 0.9.8zc

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows rem

CVE-2014-3571

<= 0.9.8zc

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL po

CVE-2014-3570

<= 0.9.8zc

The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the

CVE-2014-3569

all versions

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use

CVE-2014-3568

<= 0.9.8zb

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which all

CVE-2014-3567

<= 0.9.8zb

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j

CVE-2014-3513

all versions

Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of se

CVE-2014-3566

all versions

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easi

3.4LOW

CVE-2014-5139

all versions

The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of ser

CVE-2014-3512

all versions

Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers

CVE-2014-3511

all versions

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the u

CVE-2014-3510

all versions

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0

CVE-2014-3509

all versions

Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, wh

CVE-2014-3508

all versions

The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i

CVE-2014-3507

all versions

Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i

CVE-2014-3506

all versions

d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote a

CVE-2014-3505

all versions

Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1

CVE-2014-3470

< 0.9.8za

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, w

CVE-2014-0224

< 0.9.8za

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec mes

7.4HIGH

CVE-2014-0221

>= 0.9.8 and < 0.9.8za

The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allow

CVE-2014-0195

>= 0.9.8 and < 0.9.8za

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does n

CVE-2014-0198

>= 1.0.0 and <= 1.0.1g

The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly

CVE-2010-5298

<= 1.0.1g

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, al

CVE-2014-0160

>= 1.0.1 and < 1.0.1g

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which

7.5HIGH

CVE-2014-0076

<= 1.0.0l

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time b

CVE-2013-4353

all versions

The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service

CVE-2013-6450

all versions

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data stru

CVE-2013-6449

<= 1.0.1e

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data st

CVE-2013-0169

>= 0.9.8 and <= 0.9.8x

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not

CVE-2013-0166

all versions

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP resp

CVE-2012-2686

all versions

crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d

CVE-2011-5095

all versions

The Diffie-Hellman key-exchange implementation in OpenSSL 0.9.8, when FIPS mode is enabled, does not properly validate a public pa

CVE-2011-1473

<= 0.9.8k

OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS pr

CVE-2012-2333

<= 0.9.8w

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used w

CVE-2012-2131

all versions

Multiple integer signedness errors in crypto/buffer/buffer.c in OpenSSL 0.9.8v allow remote attackers to conduct buffer overflow a

CVE-2012-2110

<= 0.9.8u

The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a do

CVE-2012-1165

<= 0.9.8t

The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to ca

CVE-2012-0884

<= 0.9.8t

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not prope

CVE-2006-7250

<= 0.9.8t

The mime_hdr_cmp function in crypto/asn1/asn_mime.c in OpenSSL 0.9.8t and earlier allows remote attackers to cause a denial of ser

CVE-2011-4354

<= 0.9.8g

crypto/bn/bn_nist.c in OpenSSL before 0.9.8h on 32-bit platforms, as used in stunnel and other products, in certain circumstances

CVE-2012-0050

all versions

OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service

CVE-2012-0027

<= 1.0.0e

The GOST ENGINE in OpenSSL before 1.0.0f does not properly handle invalid parameters for the GOST block cipher, which allows remot

CVE-2011-4619

<= 0.9.8r

The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handsha

CVE-2011-4577

<= 0.9.8r

OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of servic

CVE-2011-4576

<= 0.9.8r

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block c

CVE-2011-4109

all versions

Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to hav

CVE-2011-4108

<= 0.9.8r

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, whic

CVE-2011-3210

all versions

The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety

CVE-2011-3207

all versions

crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for rem

CVE-2011-1945

<= 1.0.0d

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm

CVE-2011-0014

all versions

ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash

CVE-2008-7270

<= 0.9.8i

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite i

CVE-2010-4252

<= 1.0.0b

OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allo

CVE-2010-4180

< 0.9.8q

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent

CVE-2010-3864

all versions

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal ca

CVE-2010-2939

all versions

Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.

CVE-2010-1633

all versions

RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly ot

CVE-2010-0742

<= 0.9.8n

The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does

CVE-2010-0740

all versions

The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service

CVE-2010-0928

all versions

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorith

CVE-2010-0433

<= 0.9.8m

The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration

CVE-2009-3245

<= 0.9.8l

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/

CVE-2009-4355

<= 0.9.8l

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta

CVE-2009-3555

<= 0.9.8k

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod

9.8CRITICAL

CVE-2009-2409

>= 0.9.8 and <= 0.9.8k

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 throug

CVE-2009-1387

>= 0.9.8 and < 0.9.8m

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a d

CVE-2009-1386

> 0.9.8 and < 0.9.8i

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon cr

CVE-2009-1379

all versions

Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remo

CVE-2009-1378

> 0.9.8 and < 0.9.8m

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versio

CVE-2009-1377

>= 0.9.8 and < 0.9.8m

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a d

CVE-2009-0789

<= 0.9.8j

OpenSSL before 0.9.8k on WIN64 and certain other platforms does not properly handle a malformed ASN.1 structure, which allows remo

CVE-2009-0591

all versions

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with mal

CVE-2009-0590

< 0.9.8k

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory ac

CVE-2009-0653

all versions

OpenSSL, probably 0.9.6, does not verify the Basic Constraints for an intermediate CA-signed certificate, which allows remote atta

CVE-2008-5077

<= 0.9.8h

OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attacke

CVE-2008-1678

all versions

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote at

CVE-2008-1672

all versions

OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server K

CVE-2008-0891

all versions

Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers t

CVE-2008-0166

>= 0.9.8c-1 and <= 0.9.8g

OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates pr

7.5HIGH

CVE-2007-5502

all versions

The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which ge

CVE-2007-4995

all versions

Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via u

CVE-2007-5135

all versions

Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote

CVE-2007-3108

<= 0.9.8e

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multipli

CVE-2006-4343

all versions

The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions a

CVE-2006-3738

all versions

Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions h

CVE-2006-2940

all versions

OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumpt

CVE-2006-2937

all versions

OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory

CVE-2006-4339

<= 0.9.7

OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding

CVE-2005-2969

all versions

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PAD

CVE-2005-2946

< 0.9.8

The default configuration on OpenSSL before 0.9.8 uses MD5 for creating message digests instead of a more cryptographically strong

7.5HIGH

CVE-2005-1797

all versions

The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on

CVE-2004-0975

all versions

The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users

CVE-2004-0112

all versions

The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the

CVE-2004-0081

all versions

OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of ser

CVE-2004-0079

all versions

The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of

7.5HIGH

CVE-2003-0851

all versions

OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences.

CVE-2003-0545

all versions

Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbit

9.8CRITICAL

CVE-2003-0544

all versions

OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to

CVE-2003-0543

all versions

Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certifi

CVE-2002-1568

all versions

OpenSSL 0.9.6e uses assertions when detecting buffer overflow attacks instead of less severe mechanisms, which allows remote attac

CVE-2003-0147

all versions

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determ

CVE-2003-0131

all versions

The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA

CVE-2003-0078

< 0.9.6i

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect b

CVE-2002-0659

all versions

The ASN1 library in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allows remote attackers to cause a denial of service

CVE-2002-0657

all versions

Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long

CVE-2002-0656

all versions

Buffer overflows in OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, allow remote attackers to execute arbitrary code via

CVE-2002-0655

all versions

OpenSSL 0.9.6d and earlier, and 0.9.7-beta2 and earlier, does not properly handle ASCII representations of integers on 64 bit plat

CVE-2001-1141

all versions

The Pseudo-Random Number Generator (PRNG) in SSLeay and OpenSSL before 0.9.6b allows attackers to use the output of small PRNG req

CVE-2000-0535

all versions

OpenSSL 0.9.4 and OpenSSH for FreeBSD do not properly check for the existence of the /dev/random or /dev/urandom devices, which ar

CVE-1999-0428

< 0.9.2b

OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.