CVE-2016-5117

Опубликовано: 31 янв. 2017

Источник: nvd

CVSS3: 5.9

CVSS2: 4.3

EPSS Низкий

Описание

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.

Ссылки

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c.diff?r1=1.27&r2=1.28
Patch
http://www.openntpd.org/txt/release-6.0p1.txt
Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/05/23/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/05/29/6
Mailing List
Third Party Advisory
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c.diff?r1=1.27&r2=1.28
Patch
http://www.openntpd.org/txt/release-6.0p1.txt
Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/05/23/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/05/29/6
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openntpd:openntpd:*:*:*:*:*:*:*:*

Версия до 6.0 (включая)

EPSS

Процентиль: 50%

0.0027

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-254

Связанные уязвимости

CVE-2016-5117

CVSS3: 5.9

ubuntu

около 9 лет назад

CVE-2016-5117

CVSS3: 5.9

debian

около 9 лет назад

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint re ...

GHSA-4m25-49gx-cpq6

CVSS3: 5.9

github

больше 3 лет назад

EPSS

Процентиль: 50%

0.0027

Низкий

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-254