Описание
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2010-4252
- https://access.redhat.com/security/cve/CVE-2010-4252
- https://bugzilla.redhat.com/show_bug.cgi?id=659297
- https://github.com/seb-m/jpake
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19039
- http://cvs.openssl.org/chngview?cn=20098
- http://marc.info/?l=bugtraq&m=129916880600544&w=2
- http://marc.info/?l=bugtraq&m=130497251507577&w=2
- http://openssl.org/news/secadv_20101202.txt
- http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
- http://secunia.com/advisories/42469
- http://secunia.com/advisories/57353
- http://securitytracker.com/id?1024823
- http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
- http://www.securityfocus.com/bid/45163
- http://www.vupen.com/english/advisories/2010/3120
- http://www.vupen.com/english/advisories/2010/3122
Связанные уязвимости
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly valid ...
Уязвимости операционной системы Gentoo Linux, позволяющие удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации