CVE-2015-3195
published 2015-12-06CVE-2015-3195: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e…
medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
Affected
65 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | < 10.11.4 | 10.11.4 |
| apple | os_x_el_capitan_v10.11.4_and_security_update_2016-002 | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| cisco | products | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssl | < openssl 1.0.2e-1 (bookworm) | openssl 1.0.2e-1 (bookworm) |
| fedoraproject | fedora | — | — |
| openssl | openssl | < 0.9.8zh | 0.9.8zh |
| openssl | openssl | >= 0 < 1.0.2e-1 | 1.0.2e-1 |
| openssl | openssl | >= 0 < 1.0.2e-1 | 1.0.2e-1 |
| openssl | openssl | >= 0 < 1.0.2e-1 | 1.0.2e-1 |
| openssl | openssl | >= 0 < 1.0.2e-1 | 1.0.2e-1 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.16 | 1.0.1f-1ubuntu2.16 |
| openssl | openssl | >= 1.0.0 < 1.0.0t | 1.0.0t |
| openssl | openssl | >= 1.0.1 < 1.0.1q | 1.0.1q |
| openssl | openssl | >= 1.0.2 < 1.0.2e | 1.0.2e |
| opensuse | leap | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| oracle | api_gateway | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM