7.4
CVE-2014-0224
- EPSS 92.72%
- Veröffentlicht 05.06.2014 21:55:07
- Zuletzt bearbeitet 12.04.2025 10:46:40
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
LoginOpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Jboss Enterprise Application Platform Version5.2.0
Redhat ≫ Jboss Enterprise Application Platform Version6.2.3
Redhat ≫ Jboss Enterprise Web Platform Version5.2.0
Redhat ≫ Jboss Enterprise Web Server Version2.0.1
Fedoraproject ≫ Fedora Version19
Fedoraproject ≫ Fedora Version20
Redhat ≫ Enterprise Linux Version4
Redhat ≫ Enterprise Linux Version5
Redhat ≫ Enterprise Linux Version6.0
Filezilla-project ≫ Filezilla Server Version < 0.9.45
Siemens ≫ Application Processing Engine Firmware Version < 2.0.2
Siemens ≫ Cp1543-1 Firmware Version < 1.1.25
Siemens ≫ S7-1500 Firmware Version < 1.6
Siemens ≫ Rox Firmware Version < 1.16.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 92.72% | 0.997 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.4 | 2.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:P/I:P/A:N
|
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.