Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2002-0002

6 documents6 sources

Severity

7.5HIGH

EPSS

15.6%

top 5.30%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Engardelinux Secure Linux Mandrakesoft Mandrake Linux Redhat Linux +1 more

Timeline

PublishedJan 31

Latest updateApr 30

Description

Format string vulnerability in stunnel before 3.22 when used in client mode for (1) smtp, (2) pop, or (3) nntp allows remote malicious servers to execute arbitrary code.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages4 packages

▶NVDstunnel/stunnel22 versions+21

▶NVDredhat/linux7.2

▶NVDengardelinux/secure_linux1.0.1

▶NVDmandrakesoft/mandrake_linux8.1

Patches

Patch: www.redhat.com ↗Patch: www.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-8qj7-vx74-c666: Format string vulnerability in stunnel before 3↗2022-04-30

▶

CVEList

CVE-2002-0002: Format string vulnerability in stunnel before 3↗2002-06-25

▶

💥Exploits & PoCs

Exploit-DB

STunnel 3.x - Client Negotiation Protocol Format String↗2001-12-22

▶

📋Vendor Advisories

Red Hat

security flaw↗2001-12-18

▶

💬Community

Bugzilla

CVE-2002-0002 security flaw↗2018-08-16

▶