Vulnerabilities > Openssl > High

DATE CVE VULNERABILITY TITLE RISK
2019-03-06 CVE-2019-1543 Use of Insufficiently Random Values vulnerability in Openssl
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation.
network
high complexity
openssl CWE-330
7.4
2018-06-12 CVE-2018-0732 Key Management Errors vulnerability in multiple products
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client.
network
low complexity
openssl debian canonical nodejs CWE-320
7.5
2017-11-13 CVE-2016-8610 A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. 7.5
2017-05-04 CVE-2017-3733 Improper Input Validation vulnerability in multiple products
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite).
network
low complexity
openssl hp CWE-20
7.5
2017-05-04 CVE-2017-3731 Out-of-bounds Read vulnerability in multiple products
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash.
network
low complexity
openssl nodejs CWE-125
7.5
2017-05-04 CVE-2017-3730 NULL Pointer Dereference vulnerability in multiple products
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash.
network
low complexity
openssl oracle CWE-476
7.5
2017-05-04 CVE-2016-7054 Improper Access Control vulnerability in Openssl 1.1.0/1.1.0A/1.1.0B
In OpenSSL 1.1.0 before 1.1.0c, TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads.
network
low complexity
openssl CWE-284
7.5
2017-05-04 CVE-2016-7053 NULL Pointer Dereference vulnerability in Openssl 1.1.0/1.1.0A/1.1.0B
In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference.
network
low complexity
openssl CWE-476
7.5
2016-09-26 CVE-2016-7052 NULL Pointer Dereference vulnerability in multiple products
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
network
low complexity
novell openssl nodejs CWE-476
7.5
2016-09-26 CVE-2016-6305 Improper Input Validation vulnerability in Openssl 1.1.0
The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call.
network
low complexity
openssl CWE-20
7.5