CVE-2015-5333Uncontrolled Resource Consumption in Libressl

CWE-400Uncontrolled Resource ConsumptionCWE-352Cross-Site Request Forgery9 documents6 sources
Severity
7.5HIGHNVD
EPSS
2.1%
top 15.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Openbsd LibresslApple Macos MojaveApple OS X EL Capitan 10.11.2 Security Update 2015-005 Yosemite AND Security Update 20+3 more
Timeline
PublishedJan 23
Latest updateMay 24

Description

Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allows remote attackers to cause a denial of service (memory consumption) via a large number of ASN.1 object identifiers in X.509 certificates.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

NVDopenbsd/libressl< 2.3.1
CVEListV5libressl/libresslbefore 2.3.1
Appleapple/macos_mojave10.14

🔴Vulnerability Details

2
GHSA
GHSA-qrw8-4f9g-c6gc: Memory leak in the OBJ_obj2txt function in LibreSSL before 22022-05-24
CVEList
CVE-2015-5333: Memory leak in the OBJ_obj2txt function in LibreSSL before 22020-01-23

📋Vendor Advisories

5
Apple
CVE-2015-5333: macOS Mojave 10.142018-09-24
Red Hat
flash-plugin: information leaks and hardening bypass fixed in APSB15-232015-09-21
Red Hat
flash-plugin: cross-site request forgery against JSONP endpoints fixed in APSB15-11 (incomplete fix for CVE-2014-5333)2015-06-09
Apple
CVE-2015-5333: OS X El Capitan v10.11.4 and Security Update 2016-002
Apple
CVE-2015-5333: OS X El Capitan 10.11.2, Security Update 2015-005 Yosemite, and Security Update 2015-008 Mavericks

💬Community

1
Bugzilla
CVE-2015-3096 flash-plugin: cross-site request forgery against JSONP endpoints fixed in APSB15-11 (incomplete fix for CVE-2014-5333)2015-06-10