Unrated severityNVD Advisory· Published Mar 3, 2003· Updated Apr 16, 2026

CVE-2003-0078

Description

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."

Affected products

OpenSSL Project/OpenSSL9 versions
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*range: <0.9.6i
- cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:-:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*
FreeBSD/FreeBSD7 versions
cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.3:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.4:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.5:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.6:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.7:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:5.0:*:*:*:*:*:*:*
OpenBSD/OpenBSD2 versions
cpe:2.3:o:openbsd:openbsd:3.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:openbsd:openbsd:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.2:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openssl.org/news/secadv_20030219.txtnvdBroken LinkPatchVendor Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
marc.infonvdThird Party Advisory
www.debian.org/security/2003/dsa-253nvdBroken LinkVendor Advisory
www.iss.net/security_center/static/11369.phpnvdBroken LinkVendor Advisory
www.securityfocus.com/bid/6884nvdBroken LinkThird Party AdvisoryVDB Entry
ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.ascnvdBroken Link
patches.sgi.com/support/free/security/advisories/20030501-01-InvdBroken Link
distro.conectiva.com.br/atualizacoes/nvdBroken Link
www.ciac.org/ciac/bulletins/n-051.shtmlnvdBroken Link
www.linuxsecurity.com/advisories/engarde_advisory-2874.htmlnvdBroken Link
www.mandrakesoft.com/security/advisoriesnvdBroken Link
www.osvdb.org/3945nvdBroken Link
www.redhat.com/support/errata/RHSA-2003-062.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2003-063.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2003-082.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2003-104.htmlnvdBroken Link
www.redhat.com/support/errata/RHSA-2003-205.htmlnvdBroken Link
www.trustix.org/errata/2003/0005nvdBroken Link

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.010
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000