5.9
CVE-2017-15698
- EPSS 0.83%
- Veröffentlicht 31.01.2018 14:29:00
- Zuletzt bearbeitet 21.11.2024 03:15:01
- Quelle security@apache.org
- Teams Watchlist Login
- Unerledigt Login
When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apache ≫ Tomcat Native Version >= 1.1.23 <= 1.1.34
Apache ≫ Tomcat Native Version >= 1.2.0 <= 1.2.14
Debian ≫ Debian Linux Version8.0
Debian ≫ Debian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.83% | 0.722 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-295 Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.