CVE-2005-2969 — Algorithm Downgrade in Openssl

CWE-757 — Algorithm Downgrade11 documents10 sources

Severity

5.0MEDIUMNVD

EPSS

9.4%

top 7.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedOct 18

Latest updateMay 3

Description

The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 before 0.9.8a, when using the SSL_OP_MSIE_SSLV2_RSA_PADDING option, disables a verification step that is required for preventing protocol version rollback attacks, which allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 0.9.8-3 (bookworm)

▶Debianopenssl/openssl< 0.9.8-3+3

▶NVDopenssl/openssl9 versions+8

Patches

Patch: www.openssl.org ↗Patch: www.openssl.org ↗

🔴Vulnerability Details

GHSA

GHSA-h7wj-q4wv-chfq: The SSL/TLS server implementation in OpenSSL 0↗2022-05-03

▶

OSV

CVE-2005-2969: The SSL/TLS server implementation in OpenSSL 0↗2005-10-18

▶

📋Vendor Advisories

Ubuntu

SSL library vulnerability↗2005-10-14

▶

Cisco

OpenSSL Version Rollback and Weak Cryptographic Algorithm Vulnerabilities↗2005-10-12

▶

Red Hat

openssl mitm downgrade attack↗2005-10-11

▶

Debian

CVE-2005-2969: openssl - The SSL/TLS server implementation in OpenSSL 0.9.7 before 0.9.7h and 0.9.8 befor...↗2005

▶

📐Framework References

CWE

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')↗

▶

💬Community

Bugzilla

CVE-2005-2969 openssl mitm downgrade attack↗2008-01-29

▶

Bugzilla

CVE-2005-2969 openssl mitm downgrade attack↗2008-01-29

▶