8.1

CVE-2015-8960

Medienbericht

Exploit

EPSS 0.36%
Veröffentlicht 21.09.2016 02:59:00
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the "Key Compromise Impersonation (KCI)" issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ietf ≫ Transport Layer Security Version <= 1.2

   Apple ≫ Safari Version-
   Google ≫ Chrome Version-
   Microsoft ≫ Internet Explorer Version-
   Mozilla ≫ Firefox Version-
   Opera ≫ Opera Browser Version-

Netapp ≫ Clustered Data Ontap Antivirus Connector Version-

Netapp ≫ Data Ontap Edge Version-

Netapp ≫ Host Agent Version-

Netapp ≫ Oncommand Shift Version-

Netapp ≫ Plug-in For Symantec Netbackup Version-

Netapp ≫ Smi-s Provider Version-

Netapp ≫ Snap Creator Framework Version-

Netapp ≫ Snapdrive Version- SwPlatformunix

Netapp ≫ Snapdrive Version- SwPlatformwindows

Netapp ≫ Snapmanager Version- SwPlatformoracle

Netapp ≫ Snapmanager Version- SwPlatformsap

Netapp ≫ Snapprotect Version-

Netapp ≫ System Setup Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.555

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://twitter.com/matthew_d_green/statuses/630908726950674433

Third Party Advisory

Technical Description

Press/Media Coverage

http://www.openwall.com/lists/oss-security/2016/09/20/4

Third Party Advisory

Mailing List

Technical Description

http://www.securityfocus.com/bid/93071

Third Party Advisory

Broken Link

VDB Entry

https://kcitls.org

Exploit

Technical Description

https://security.netapp.com/advisory/ntap-20180626-0002/

Third Party Advisory

https://www.usenix.org/system/files/conference/woot15/woot15-paper-hlauschek.pdf

Exploit

Mitigation

Technical Description

https://nvd.nist.gov/vuln/detail/CVE-2015-8960

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2015-8960

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2015-8960

EUVD