cbcvebase.
CVE-2018-12384
published 2019-04-29

CVE-2018-12384: When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full…

medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiannss< nss 2:3.39-1 (bookworm)nss 2:3.39-1 (bookworm)
fasterxmljackson-databind>= 0 < 2.4.2-3ubuntu0.1~esm22.4.2-3ubuntu0.1~esm2
mozillanetwork_security_services< 3.393.39
mozillanss>= 0 < 2:3.39-12:3.39-1
mozillanss>= 0 < 2:3.39-12:3.39-1
mozillanss>= 0 < 2:3.39-12:3.39-1
mozillanss>= 0 < 2:3.39-12:3.39-1
mozillanss>= 0 < 2:3.28.4-0ubuntu0.14.04.42:3.28.4-0ubuntu0.14.04.4
mozillanss>= 0 < 2:3.28.4-0ubuntu0.16.04.42:3.28.4-0ubuntu0.16.04.4
mozillanss>= 0 < 2:3.35-2ubuntu2.12:3.35-2ubuntu2.1
nssnetwork_security_services

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv9.8CRITICAL