CVE-2008-7270 — Openssl vulnerability

CWE-3107 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.3%

top 20.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedDec 6

Latest updateMay 17

Description

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 0.9.8k-1 (bookworm)

▶Debianopenssl/openssl< 0.9.8k-1+3

▶NVDopenssl/openssl0.9.8i+44

🔴Vulnerability Details

GHSA

GHSA-2qf2-98wp-cwm9: OpenSSL before 0↗2022-05-17

▶

OSV

CVE-2008-7270: OpenSSL before 0↗2010-12-06

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2010-12-08

▶

Red Hat

openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack↗2010-12-02

▶

Debian

CVE-2008-7270: openssl - OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, ...↗2008

▶

💬Community

Bugzilla

CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack↗2010-12-07

▶