CVE-2024-5535 — Out-of-bounds Read in Openssl
Severity
9.1CRITICALNVD
EPSS
5.2%
top 10.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 27
Latest updateNov 26
Description
Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory contents to
be sent to the peer.
Impact summary: A buffer overread can have a range of potential consequences
such as unexpected application beahviour or a crash. In particular this issue
could result in up to 255 bytes of arbitrary private data from memory being sent
to the peer leading to a loss of confidentiality. However, only applications
that di…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2
Affected Packages8 packages
🔴Vulnerability Details
4GHSA▶
GHSA-4fc7-mvrr-wv2c: Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory cont↗2024-06-27
OSV▶
CVE-2024-5535: Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an
empty supported client protocols buffer may cause a crash or memory cont↗2024-06-27
OSV▶
CVE-2024-5535: Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory cont↗2024-06-27
📋Vendor Advisories
10Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Accessibility (OpenSSL) — CVE-2024-5535↗2024-10-15