CVE-2008-7270

MEDIUM

Description

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

References

http://cvs.openssl.org/chngview?cn=17489

http://marc.info/?l=bugtraq&m=132077688910227&w=2

http://secunia.com/advisories/42493

http://ubuntu.com/usn/usn-1029-1

http://www.redhat.com/support/errata/RHSA-2010-0977.html

http://www.redhat.com/support/errata/RHSA-2010-0978.html

http://www.redhat.com/support/errata/RHSA-2011-0896.html

http://www.securityfocus.com/archive/1/522176

http://www.securityfocus.com/bid/45254

https://bugzilla.redhat.com/show_bug.cgi?id=659462

Details

Source: MITRE

Published: 2010-12-06

Updated: 2012-04-06

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM