5

CVE-2003-0078

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."

Data is provided by the National Vulnerability Database (NVD)
OpenSSLOpenSSL Version < 0.9.6i
OpenSSLOpenSSL Version0.9.6i
OpenSSLOpenSSL Version0.9.7 Update-
OpenSSLOpenSSL Version0.9.7 Updatebeta1
OpenSSLOpenSSL Version0.9.7 Updatebeta2
OpenSSLOpenSSL Version0.9.7 Updatebeta3
OpenSSLOpenSSL Version0.9.7 Updatebeta4
OpenSSLOpenSSL Version0.9.7 Updatebeta5
OpenSSLOpenSSL Version0.9.7 Updatebeta6
FreebsdFreebsd Version4.2
FreebsdFreebsd Version4.3
FreebsdFreebsd Version4.4
FreebsdFreebsd Version4.5
FreebsdFreebsd Version4.6
FreebsdFreebsd Version4.7
FreebsdFreebsd Version5.0
OpenbsdOpenbsd Version3.1
OpenbsdOpenbsd Version3.2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 11.64% 0.934
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

http://www.debian.org/security/2003/dsa-253
Vendor Advisory
Broken Link
http://www.openssl.org/news/secadv_20030219.txt
Patch
Vendor Advisory
Broken Link
http://www.securityfocus.com/bid/6884
Third Party Advisory
Broken Link
VDB Entry