CVE-2010-4180: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the…

medium4.3CVSS 3.1

AVNACMAuNCNIPAN

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Affected

75 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	openssl	< openssl 0.9.8k-1 (bookworm)	openssl 0.9.8k-1 (bookworm)
debian	openssl	< openssl 0.9.8o-4 (bookworm)	openssl 0.9.8o-4 (bookworm)
f5	nginx	< 0.9.2	0.9.2
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
openssl	openssl	< 0.9.8q	0.9.8q
openssl	openssl	<= 0.9.8i	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—
openssl	openssl	—	—

CVSS provenance

nvd4.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N

osv4.3MEDIUM