CVE-2014-3616
published 2014-12-08CVE-2014-3616: nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an…
medium4.3CVSS 3.1
AVNACMAuNCNIPAN
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | nginx | < nginx 1.6.2-1 (bookworm) | nginx 1.6.2-1 (bookworm) |
| f5 | nginx | >= 0 < 1.6.2-1 | 1.6.2-1 |
| f5 | nginx | >= 0 < 1.6.2-1 | 1.6.2-1 |
| f5 | nginx | >= 0 < 1.6.2-1 | 1.6.2-1 |
| f5 | nginx | >= 0 < 1.6.2-1 | 1.6.2-1 |
| f5 | nginx | >= 0.5.6 < 1.6.2 | 1.6.2 |
| f5 | nginx | >= 1.7.0 < 1.7.5 | 1.7.5 |
CVSS provenance
nvd4.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM