ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
Score CVSS v2.0
5.0
/ 10.0
MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
Informations
- Publié
- 3 mars 2003
- Mis à jour
- 16 avr. 2026
- Statut
- Modified
- Source
- cve@mitre.org
Produits affectés
openssl opensslToutes les CVE OpenSSL →
Versions : 0.9.6i, 0.9.7
freebsd freebsd
Versions : 4.2, 4.3, 4.4, 4.5, 4.6
openbsd openbsd
Versions : 3.1, 3.2
Faiblesses (CWE)
CWE-203
Références (40)
- http://marc.info/?l=bugtraq&m=104567627211904&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=104568426824439&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=104577183206905&w=2Third Party Advisory
- http://www.debian.org/security/2003/dsa-253Broken LinkVendor Advisory
- http://www.iss.net/security_center/static/11369.phpBroken LinkVendor Advisory
- http://www.openssl.org/news/secadv_20030219.txtBroken LinkPatchVendor Advisory
- http://www.osvdb.org/3945Broken Link
- + 25 autres références sur NVD
CVEs similaires
Autres vulnérabilités de type CWE-203
Loading…
Surveillez vos produits
Recevez une alerte automatique à chaque nouvelle CVE affectant vos équipements.