7.5
CVE-2010-4252
- EPSS 8.08%
- Veröffentlicht 06.12.2010 21:05:49
- Zuletzt bearbeitet 16.06.2026 23:24:26
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 8.08% | 0.941 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
http://secunia.com/advisories/57353
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
http://marc.info/?l=bugtraq&m=129916880600544&w=2
http://marc.info/?l=bugtraq&m=130497251507577&w=2
http://openssl.org/news/secadv_20101202.txt
http://secunia.com/advisories/42469
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471
http://www.vupen.com/english/advisories/2010/3120
http://www.vupen.com/english/advisories/2010/3122
http://cvs.openssl.org/chngview?cn=20098
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
http://securitytracker.com/id?1024823
http://www.securityfocus.com/bid/45163
https://bugzilla.redhat.com/show_bug.cgi?id=659297
https://github.com/seb-m/jpake
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19039