CVE-2014-0224
published 2014-06-05CVE-2014-0224: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows…
high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
EXPLOIT
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Affected
35 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | products | — | — |
| debian | openssl | < openssl 1.0.1h-1 (bookworm) | openssl 1.0.1h-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| filezilla-project | filezilla_server | < 0.9.45 | 0.9.45 |
| mariadb | mariadb | >= 10.0.0 < 10.0.13 | 10.0.13 |
| nodejs | node.js | < 0.10.29 | 0.10.29 |
| openssl | openssl | < 0.9.8za | 0.9.8za |
| openssl | openssl | >= 0 < 1.0.1h-1 | 1.0.1h-1 |
| openssl | openssl | >= 0 < 1.0.1h-1 | 1.0.1h-1 |
| openssl | openssl | >= 0 < 1.0.1h-1 | 1.0.1h-1 |
| openssl | openssl | >= 0 < 1.0.1h-1 | 1.0.1h-1 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.3 | 1.0.1f-1ubuntu2.3 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.4 | 1.0.1f-1ubuntu2.4 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.2 | 1.0.1f-1ubuntu2.2 |
| openssl | openssl | >= 1.0.0 < 1.0.0m | 1.0.0m |
| openssl | openssl | >= 1.0.1 < 1.0.1h | 1.0.1h |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| paloalto | cortex_xdr | — | — |
| paloalto | pan-os | — | — |
| python | python | >= 2.7.0 < 2.7.8 | 2.7.8 |
| python | python | >= 3.4.0 < 3.4.2 | 3.4.2 |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
osv7.4HIGH
vulncheck7.4HIGH