Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-1967

Опубликовано: 21 апр. 2020
Источник: nvd
CVSS3: 7.5
CVSS2: 5
EPSS Средний

Описание

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Версия от 1.1.1d (включая) до 1.1.1f (включая)
Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:freebsd:freebsd:12.1:-:*:*:*:*:*:*
Конфигурация 4

Одно из

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Конфигурация 5

Одно из

cpe:2.3:a:oracle:application_server:12.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Версия до 5.6.48 (включая)
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Версия от 5.7.0 (включая) до 5.7.30 (включая)
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.0.20 (включая)
cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*
Версия до 8.0.20 (включая)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Версия до 4.0.12 (включая)
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
Версия от 8.0.0 (включая) до 8.0.20 (включая)
cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
Версия до 8.0.21 (включая)
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*
Конфигурация 6

Одно из

cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
Версия от 7.3 (включая)
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
Версия от 9.5 (включая)
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
cpe:2.3:o:broadcom:fabric_operating_system:-:*:*:*:*:*:*:*
Конфигурация 7

Одно из

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
Конфигурация 8
cpe:2.3:a:jdedwards:enterpriseone:*:*:*:*:*:*:*:*
Версия до 9.2.5.0 (исключая)
Конфигурация 9
cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*
Версия до 6.0.9 (исключая)

EPSS

Процентиль: 99%
0.67307
Средний

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-476

Связанные уязвимости

ubuntu логотип

CVE-2020-1967

CVSS3: 7.5
ubuntu
почти 6 лет назад

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

redhat логотип

CVE-2020-1967

CVSS3: 7.5
redhat
почти 6 лет назад

Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack. OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Fixed in OpenSSL 1.1.1g (Affected 1.1.1d-1.1.1f).

debian логотип

CVE-2020-1967

CVSS3: 7.5
debian
почти 6 лет назад

Server or client applications that call the SSL_check_chain() function ...

suse-cvrf логотип

openSUSE-SU-2020:0945-1

suse-cvrf
больше 5 лет назад

Security update for rust, rust-cbindgen

suse-cvrf логотип

openSUSE-SU-2020:0933-1

suse-cvrf
больше 5 лет назад

Security update for rust, rust-cbindgen

EPSS

Процентиль: 99%
0.67307
Средний

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-476