CVE-2015-3195

CWE-200Information ExposureCWE-399CWE-401Memory Leak12 documents11 sources
Severity
5.3MEDIUM
EPSS
3.5%
top 12.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
Apple MAC OS XOpenssl OpensslOracle VM Virtualbox+22 more
Timeline
PublishedDec 6
Latest updateMay 13

Description

The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages21 packages

NVDopenssl/openssl1.0.01.0.0t+3
Debianopenssl< 1.0.2e-1+3
NVDapple/mac_os_x< 10.11.4
NVDoracle/vm_virtualbox5.0.05.0.14+1

Also affects: Debian Linux 7.0, 8.0, Fedora 22, Ubuntu Linux 12.04, 14.04, 15.04, 15.10, Enterprise Linux 7.2, 7.3, 7.4, 7.6, 7.7

🔴Vulnerability Details

3
GHSA
GHSA-7q2f-v729-wjf3: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec2022-05-13
OSV
CVE-2015-3195: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec2015-12-06
CVEList
CVE-2015-3195: The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec2015-12-06

📋Vendor Advisories

6
Ubuntu
OpenSSL vulnerabilities2015-12-07
BSD
FreeBSD-SA-15:26.openssl: Multiple OpenSSL vulnerabilities2015-12-06
Cisco
Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products2015-12-04
Red Hat
OpenSSL: X509_ATTRIBUTE memory leak2015-12-03
Debian
CVE-2015-3195: openssl - The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before...2015

💬Community

2
Bugzilla
CVE-2015-3194 CVE-2015-3195 CVE-2015-3196 mingw-openssl: various flaws [fedora-all]2015-12-10
Bugzilla
CVE-2015-3195 OpenSSL: X509_ATTRIBUTE memory leak2015-12-04
CVE-2015-3195 (MEDIUM CVSS 5.3) | The ASN1_TFLG_COMBINE implementatio | cvebase.io