Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2009-1378 — Missing Release of Memory after Effective Lifetime in Openssl
Severity
5.0MEDIUMNVD
EPSS
13.2%
top 5.83%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMay 19
Latest updateDec 29
Description
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
CVSS vector
AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9
Affected Packages3 packages
Also affects: Ubuntu Linux 6.06, 8.04, 8.10, 9.04
Patches
🔴Vulnerability Details
2💥Exploits & PoCs
2📋Vendor Advisories
3📄Research Papers
1arXiv▶
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29