Vendor CVEs
OpenSSL Project
All CVEs
379 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-6331 | 0.00 | — | 0.00 | Jun 26, 2026 | HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or… | |||
| CVE-2026-55655 | 0.00 | — | 0.00 | Jun 23, 2026 | A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A… | |||
| CVE-2026-55653 | 0.00 | — | 0.00 | Jun 23, 2026 | A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes… | |||
| CVE-2025-66199 | 0.00 | — | 0.00 | Jan 27, 2026 | Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to… | |||
| CVE-2025-15469 | 0.00 | — | 0.00 | Jan 27, 2026 | Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as… | |||
| CVE-2025-15468 | 0.00 | — | 0.01 | Jan 27, 2026 | Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process… | |||
| CVE-2025-11187 | 0.00 | — | 0.01 | Jan 27, 2026 | Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash… | |||
| CVE-2025-4575 | 0.00 | — | 0.00 | May 22, 2025 | Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that… | |||
| CVE-2025-32728 | 0.00 | — | 0.00 | Apr 10, 2025 | In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. | |||
| CVE-2025-27731 | 0.00 | — | 0.01 | Apr 8, 2025 | Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. | |||
| CVE-2024-2408 | 0.00 | — | 0.01 | Jun 9, 2024 | The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: … | |||
| CVE-2024-26306 | 0.00 | — | 0.01 | May 13, 2024 | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large… | |||
| CVE-2023-49210 | 0.00 | — | 0.02 | Nov 23, 2023 | The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no… | |||
| CVE-2023-4807 | 0.00 | — | 0.01 | Sep 8, 2023 | Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an… | |||
| CVE-2023-3817 | 0.00 | — | 0.03 | Jul 31, 2023 | Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters… | |||
| CVE-2023-3446 | 0.00 | — | 0.06 | Jul 19, 2023 | Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters… | |||
| CVE-2023-2975 | 0.00 | — | 0.01 | Jul 14, 2023 | Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as… | |||
| CVE-2023-1255 | 0.00 | — | 0.01 | Apr 20, 2023 | Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare… | |||
| CVE-2023-0466 | 0.00 | — | 0.02 | Mar 28, 2023 | The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to… | |||
| CVE-2023-0465 | 0.00 | — | 0.02 | Mar 28, 2023 | Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are… | |||
| CVE-2023-0464 | 0.00 | — | 0.04 | Mar 22, 2023 | A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that… | |||
| CVE-2022-4203 | 0.00 | — | 0.01 | Feb 24, 2023 | A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to… | |||
| CVE-2022-4304 | 0.00 | — | 0.16 | Feb 8, 2023 | A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of… | |||
| CVE-2022-4450 | 0.00 | — | 0.20 | Feb 8, 2023 | The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing… | |||
| CVE-2023-0215 | 0.00 | — | 0.04 | Feb 8, 2023 | The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function… | |||
| CVE-2023-0216 | 0.00 | — | 0.02 | Feb 8, 2023 | An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service… | |||
| CVE-2023-0217 | 0.00 | — | 0.02 | Feb 8, 2023 | An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted… | |||
| CVE-2023-0401 | 0.00 | — | 0.02 | Feb 8, 2023 | A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest… | |||
| CVE-2022-3996 | 0.00 | — | 0.01 | Dec 13, 2022 | If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy… | |||
| CVE-2022-2097 | 0.00 | — | 0.02 | Jul 5, 2022 | AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in… | |||
| CVE-2022-1473 | 0.00 | — | 0.02 | May 3, 2022 | The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys… | |||
| CVE-2022-1434 | 0.00 | — | 0.01 | May 3, 2022 | The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an… | |||
| CVE-2022-1343 | 0.00 | — | 0.01 | May 3, 2022 | The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate… | |||
| CVE-2021-4160 | 0.00 | — | 0.04 | Jan 28, 2022 | There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing… | |||
| CVE-2021-3711 | 0.00 | — | 0.88 | Aug 24, 2021 | In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with… | |||
| CVE-2021-3450 | 0.00 | — | 0.18 | Mar 25, 2021 | The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve… | |||
| CVE-2021-28041 | 0.00 | — | 0.03 | Mar 5, 2021 | ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host. | |||
| CVE-2021-23841 | 0.00 | — | 0.07 | Feb 16, 2021 | The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field… | |||
| CVE-2021-23839 | 0.00 | — | 0.03 | Feb 16, 2021 | OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS… | |||
| CVE-2020-14145 | 0.00 | — | 0.02 | Jun 29, 2020 | The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).… | |||
| CVE-2020-12062 | 0.00 | — | 0.02 | Jun 1, 2020 | The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory… | |||
| CVE-2019-1551 | 0.00 | — | 0.14 | Dec 6, 2019 | There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult… | |||
| CVE-2019-16905 | 0.00 | — | 0.02 | Oct 9, 2019 | OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the… | |||
| CVE-2019-1563 | 0.00 | — | 0.04 | Sep 10, 2019 | In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message… | |||
| CVE-2019-1549 | 0.00 | — | 0.06 | Sep 10, 2019 | OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in… | |||
| CVE-2019-1547 | 0.00 | — | 0.01 | Sep 10, 2019 | Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a… | |||
| CVE-2019-1552 | 0.00 | — | 0.01 | Jul 30, 2019 | OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options.… | |||
| CVE-2019-1543 | 0.00 | — | 0.06 | Mar 6, 2019 | ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12… | |||
| CVE-2019-1559 | 0.00 | — | 0.17 | Feb 27, 2019 | If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0… | |||
| CVE-2018-20685 | 0.00 | — | 0.04 | Jan 10, 2019 | In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side. |
- CVE-2026-6331Jun 26, 2026risk 0.00cvss —epss 0.00
HMAC zero-length tag forgery in EVP_DigestVerifyFinal, where a zero-length tag could be accepted as valid during HMAC verification. In the OpenSSL-compatibility HMAC verify path the supplied signature length was only checked as not exceeding the MAC length, so a zero-length or…
- CVE-2026-55655Jun 23, 2026risk 0.00cvss —epss 0.00
A flaw was found in OpenSSH. A local unprivileged attacker on a Linux client host can hijack client-side X11 forwarding connections. This is possible by pre-binding the preferred abstract X socket name when X11 forwarding is enabled and a local UNIX-domain X socket is used. A…
- CVE-2026-55653Jun 23, 2026risk 0.00cvss —epss 0.00
A flaw was found in OpenSSH. A malicious SSH server can exploit a double free vulnerability in the Diffie-Hellman Group Exchange (DH-GEX) client path. This occurs during FIPS (Federal Information Processing Standards) mode known-group validation when the client processes…
- CVE-2025-66199Jan 27, 2026risk 0.00cvss —epss 0.00
Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to…
- CVE-2025-15469Jan 27, 2026risk 0.00cvss —epss 0.00
Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as…
- CVE-2025-15468Jan 27, 2026risk 0.00cvss —epss 0.01
Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process…
- CVE-2025-11187Jan 27, 2026risk 0.00cvss —epss 0.01
Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash…
- CVE-2025-4575May 22, 2025risk 0.00cvss —epss 0.00
Issue summary: Use of -addreject option with the openssl x509 application adds a trusted use instead of a rejected use for a certificate. Impact summary: If a user intends to make a trusted certificate rejected for a particular use it will be instead marked as trusted for that…
- CVE-2025-32728Apr 10, 2025risk 0.00cvss —epss 0.00
In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.
- CVE-2025-27731Apr 8, 2025risk 0.00cvss —epss 0.01
Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally.
- CVE-2024-2408Jun 9, 2024risk 0.00cvss —epss 0.01
The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: …
- CVE-2024-26306May 13, 2024risk 0.00cvss —epss 0.01
iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large…
- CVE-2023-49210Nov 23, 2023risk 0.00cvss —epss 0.02
The openssl (aka node-openssl) NPM package through 2.0.0 was characterized as "a nonsense wrapper with no real purpose" by its author, and accepts an opts argument that contains a verb field (used for command execution). NOTE: This vulnerability only affects products that are no…
- CVE-2023-4807Sep 8, 2023risk 0.00cvss —epss 0.01
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions. Impact summary: If in an…
- CVE-2023-3817Jul 31, 2023risk 0.00cvss —epss 0.03
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters…
- CVE-2023-3446Jul 19, 2023risk 0.00cvss —epss 0.06
Issue summary: Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters…
- CVE-2023-2975Jul 14, 2023risk 0.00cvss —epss 0.01
Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as…
- CVE-2023-1255Apr 20, 2023risk 0.00cvss —epss 0.01
Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. Impact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM platform can crash in rare…
- CVE-2023-0466Mar 28, 2023risk 0.00cvss —epss 0.02
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to…
- CVE-2023-0465Mar 28, 2023risk 0.00cvss —epss 0.02
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are…
- CVE-2023-0464Mar 22, 2023risk 0.00cvss —epss 0.04
A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that…
- CVE-2022-4203Feb 24, 2023risk 0.00cvss —epss 0.01
A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to…
- CVE-2022-4304Feb 8, 2023risk 0.00cvss —epss 0.16
A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of…
- CVE-2022-4450Feb 8, 2023risk 0.00cvss —epss 0.20
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing…
- CVE-2023-0215Feb 8, 2023risk 0.00cvss —epss 0.04
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function…
- CVE-2023-0216Feb 8, 2023risk 0.00cvss —epss 0.02
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service…
- CVE-2023-0217Feb 8, 2023risk 0.00cvss —epss 0.02
An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted…
- CVE-2023-0401Feb 8, 2023risk 0.00cvss —epss 0.02
A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest…
- CVE-2022-3996Dec 13, 2022risk 0.00cvss —epss 0.01
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy…
- CVE-2022-2097Jul 5, 2022risk 0.00cvss —epss 0.02
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in…
- CVE-2022-1473May 3, 2022risk 0.00cvss —epss 0.02
The OPENSSL_LH_flush() function, which empties a hash table, contains a bug that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys…
- CVE-2022-1434May 3, 2022risk 0.00cvss —epss 0.01
The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an…
- CVE-2022-1343May 3, 2022risk 0.00cvss —epss 0.01
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate…
- CVE-2021-4160Jan 28, 2022risk 0.00cvss —epss 0.04
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing…
- CVE-2021-3711Aug 24, 2021risk 0.00cvss —epss 0.88
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with…
- CVE-2021-3450Mar 25, 2021risk 0.00cvss —epss 0.18
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve…
- CVE-2021-28041Mar 5, 2021risk 0.00cvss —epss 0.03
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
- CVE-2021-23841Feb 16, 2021risk 0.00cvss —epss 0.07
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field…
- CVE-2021-23839Feb 16, 2021risk 0.00cvss —epss 0.03
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a server that is configured to support both SSLv2 and more recent SSL and TLS versions then a check is made for a version rollback attack when unpadding an RSA signature. Clients that support SSL or TLS…
- CVE-2020-14145Jun 29, 2020risk 0.00cvss —epss 0.02
The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client).…
- CVE-2020-12062Jun 1, 2020risk 0.00cvss —epss 0.02
The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory…
- CVE-2019-1551Dec 6, 2019risk 0.00cvss —epss 0.14
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult…
- CVE-2019-16905Oct 9, 2019risk 0.00cvss —epss 0.02
OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the…
- CVE-2019-1563Sep 10, 2019risk 0.00cvss —epss 0.04
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message…
- CVE-2019-1549Sep 10, 2019risk 0.00cvss —epss 0.06
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in…
- CVE-2019-1547Sep 10, 2019risk 0.00cvss —epss 0.01
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a…
- CVE-2019-1552Jul 30, 2019risk 0.00cvss —epss 0.01
OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options.…
- CVE-2019-1543Mar 6, 2019risk 0.00cvss —epss 0.06
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12…
- CVE-2019-1559Feb 27, 2019risk 0.00cvss —epss 0.17
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0…
- CVE-2018-20685Jan 10, 2019risk 0.00cvss —epss 0.04
In OpenSSH 7.9, scp.c in the scp client allows remote SSH servers to bypass intended access restrictions via the filename of . or an empty filename. The impact is modifying the permissions of the target directory on the client side.
Page 6 of 8