Vulnerabilities > Openssl > Openssl > 1.0.1k

DATE CVE VULNERABILITY TITLE RISK
2021-12-14 CVE-2021-4044 Infinite Loop vulnerability in multiple products
Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server.
network
low complexity
openssl netapp nodejs CWE-835
7.5
2018-09-10 CVE-2016-7056 Covert Timing Channel vulnerability in multiple products
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
local
low complexity
openssl debian redhat canonical CWE-385
5.5
2017-08-28 CVE-2017-3735 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread.
network
low complexity
openssl debian CWE-119
5.3
2016-09-26 CVE-2016-6306 Out-of-bounds Read vulnerability in multiple products
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
network
high complexity
openssl hp novell nodejs debian canonical CWE-125
5.9
2016-09-26 CVE-2016-6304 Memory Leak vulnerability in multiple products
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
network
low complexity
openssl nodejs novell CWE-401
7.5
2016-09-16 CVE-2016-6303 Out-of-bounds Write vulnerability in multiple products
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
network
low complexity
nodejs openssl CWE-787
critical
9.8
2016-09-16 CVE-2016-6302 Improper Input Validation vulnerability in multiple products
The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short.
network
low complexity
openssl oracle CWE-20
7.5
2016-09-16 CVE-2016-2182 Out-of-bounds Write vulnerability in multiple products
The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
network
low complexity
hp openssl oracle CWE-787
critical
9.8
2016-09-16 CVE-2016-2181 Numeric Errors vulnerability in multiple products
The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c.
network
low complexity
openssl oracle CWE-189
7.5
2016-09-16 CVE-2016-2179 Resource Management Errors vulnerability in multiple products
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.
network
low complexity
openssl oracle CWE-399
7.5