melsorg / github-scanner-test Goto Github PK

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Publish Date: 2015-07-14

URL: CVE-2015-5143

CVSS 2 Score Details (7.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

Vulnerability Details

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Publish Date: 2016-03-01

URL: CVE-2016-0800

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0800

Release Date: 2016-03-01

Fix Resolution: 1.0.1s,1.0.2g

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/d1_both.c

Vulnerability Details

d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.

Publish Date: 2014-08-13

URL: CVE-2014-3506

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3506

Release Date: 2014-08-13

Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

Publish Date: 2016-02-23

URL: CVE-2016-2537

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2537

Release Date: 2016-02-23

Fix Resolution: 2.12.4

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/d1_both.c

Vulnerability Details

Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.

Publish Date: 2014-08-13

URL: CVE-2014-3505

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3505

Release Date: 2014-08-13

Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s23_srvr.c

Vulnerability Details

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

Publish Date: 2014-08-13

URL: CVE-2014-3511

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3511

Release Date: 2014-08-13

Fix Resolution: 1.0.1i

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

Publish Date: 2014-08-26

URL: CVE-2014-0483

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0483

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/d1_both.c

Vulnerability Details

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

Publish Date: 2014-06-05

URL: CVE-2014-0195

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0195

Release Date: 2014-06-05

Fix Resolution: 0.9.8za,1.0.0m,1.0.1h

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s2_lib.c

Vulnerability Details

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Publish Date: 2015-03-19

URL: CVE-2015-0293

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0293

Release Date: 2015-03-19

Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s2_srvr.c

Vulnerability Details

The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Publish Date: 2016-03-02

URL: CVE-2016-0703

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0703

Release Date: 2016-03-02

Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s2_srvr.c

Vulnerability Details

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Publish Date: 2016-03-02

URL: CVE-2016-0704

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0704

Release Date: 2016-03-02

Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/validators.py

Vulnerability Details

The session backends in Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 allows remote attackers to cause a denial of service (session store consumption) via multiple requests with unique session keys.

Publish Date: 2015-07-14

URL: CVE-2015-5143

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5143

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/urlresolvers.py

Vulnerability Details

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Publish Date: 2014-04-23

URL: CVE-2014-0472

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Publish Date: 2014-08-26

URL: CVE-2014-0480

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/urlresolvers.py

Vulnerability Details

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Publish Date: 2014-08-26

URL: CVE-2014-0482

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7

Vulnerability Details

Integer underflow in OpenSSL before 0.9.8x, 1.0.0 before 1.0.0j, and 1.0.1 before 1.0.1c, when TLS 1.1, TLS 1.2, or DTLS is used with CBC encryption, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted TLS packet that is not properly handled during a certain explicit IV calculation.

Publish Date: 2012-05-14

URL: CVE-2012-2333

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2333

Release Date: 2012-05-14

Fix Resolution: 0.9.8x,1.0.0j,1.0.1c

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

Publish Date: 2016-02-23

URL: CVE-2016-2537

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2537

Release Date: 2016-02-23

Fix Resolution: 2.12.4

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/ssl_locl.h

Vulnerability Details

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.

Publish Date: 2016-09-16

URL: CVE-2016-2179

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Vulnerability Details

The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI.

Publish Date: 2014-08-26

URL: CVE-2014-0483

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0483

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

Publish Date: 2015-07-14

URL: CVE-2015-5144

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.

Publish Date: 2015-03-19

URL: CVE-2015-0293

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0293

Release Date: 2015-03-19

Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/validators.py

Vulnerability Details

Django before 1.4.21, 1.5.x through 1.6.x, 1.7.x before 1.7.9, and 1.8.x before 1.8.3 uses an incorrect regular expression, which allows remote attackers to inject arbitrary headers and conduct HTTP response splitting attacks via a newline character in an (1) email message to the EmailValidator, a (2) URL to the URLValidator, or unspecified vectors to the (3) validate_ipv4_address or (4) validate_slug validator.

Publish Date: 2015-07-14

URL: CVE-2015-5144

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5144

Release Date: 2015-07-14

Fix Resolution: 1.4.21,1.7.9,1.8.3

Vulnerable Library - bootstrap.4.0.0-alpha6.nupkg

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://api.nuget.org/packages/bootstrap.4.0.0-alpha6.nupkg

Path to vulnerable library: /github-scanner-test/nuget/bootstrap.4.0.0-alpha6.nupkg

Dependency Hierarchy:

• ❌ bootstrap.4.0.0-alpha6.nupkg (Vulnerable Library)

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Vulnerability Details

XSS in data-target in bootstrap (3.3.7 and before)

Publish Date: 2017-06-27

URL: WS-2018-0021

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: twbs/bootstrap@d9be1da

Release Date: 2017-08-25

Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js

Vulnerability Details

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

Publish Date: 2014-01-01

URL: CVE-2013-6450

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6450

Release Date: 2014-01-01

Fix Resolution: 1.0.0l,1.0.1f

Vulnerability Details

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.

Publish Date: 2014-10-19

URL: CVE-2014-3568

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3568

Release Date: 2014-10-19

Fix Resolution: 0.9.8zc,1.0.0o,1.0.1j

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

Publish Date: 2014-04-23

URL: CVE-2014-0473

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerability Details

Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.

Publish Date: 2014-10-19

URL: CVE-2014-3513

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3513

Release Date: 2014-10-19

Fix Resolution: 1.0.1j

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Publish Date: 2015-06-12

URL: CVE-2015-1791

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1791

Release Date: 2015-06-12

Fix Resolution: 0.9.8zg,1.0.0s,1.0.1n,1.0.2b

Vulnerability Details

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Publish Date: 2014-04-07

URL: CVE-2014-0160

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0160

Release Date: 2014-04-07

Fix Resolution: 1.0.1g

Vulnerability Details

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

Publish Date: 2016-06-20

URL: CVE-2016-2177

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2177

Release Date: 2016-06-20

Fix Resolution: openssl - 1.0.2.i-1;lib32-openssl - 1:1.0.2.i-1

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/urlresolvers.py

Vulnerability Details

The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL to be generated.

Publish Date: 2014-08-26

URL: CVE-2014-0480

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0480

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

Vulnerability Details

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Publish Date: 2016-03-01

URL: CVE-2016-0800

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0800

Release Date: 2016-03-01

Fix Resolution: 1.0.1s,1.0.2g

Vulnerability Details

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Publish Date: 2014-10-15

URL: CVE-2014-3566

CVSS 3 Score Details (3.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3566

Release Date: 2014-10-15

Fix Resolution: openssl - 1.0.2;openssl-android - 1.0.2

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.

Publish Date: 2014-12-24

URL: CVE-2014-3569

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1033378

Fix Resolution: HP has issued a fix (7.5.0).

The HP advisory is available at:

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04765115

Vulnerable Library - libpng-apngv1.5.1

Library home page: git://git.code.sf.net/p/libpng-apng/code

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/libpng/png.c

Vulnerability Details

The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before 1.2.57, 1.4.x before 1.4.20, 1.5.x before 1.5.28, and 1.6.x before 1.6.27 allows context-dependent attackers to cause a NULL pointer dereference vectors involving loading a text chunk into a png structure, removing the text, and then adding another text chunk to the structure.

Publish Date: 2017-01-30

URL: CVE-2016-10087

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10087

Release Date: 2017-01-30

Fix Resolution: 1.0.67,1.2.57,1.4.20,1.5.28,1.6.27

Vulnerability Details

OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.

Publish Date: 2016-06-20

URL: CVE-2016-2177

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201612-16

Release Date: 2016-12-07

Fix Resolution: All OpenSSL users should upgrade to the latest version >= openssl-1.0.2j

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Publish Date: 2014-04-23

URL: CVE-2014-0474

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s2_srvr.c

Vulnerability Details

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

Publish Date: 2016-02-15

URL: CVE-2015-3197

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-3197

Release Date: 2016-02-15

Fix Resolution: 1.0.1r,1.0.2f

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/ssl_sess.c

Vulnerability Details

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Publish Date: 2015-06-12

URL: CVE-2015-1791

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1791

Release Date: 2015-06-12

Fix Resolution: 0.9.8zg,1.0.0s,1.0.1n,1.0.2b

Vulnerability Details

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.

Publish Date: 2016-09-16

URL: CVE-2016-2179

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2179

Release Date: 2016-09-16

Fix Resolution: 1.1.0

Vulnerability Details

The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

Publish Date: 2014-10-15

URL: CVE-2014-3566

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201411-10

Release Date: 2014-11-23

Fix Resolution: All Asterisk users should upgrade to the latest version >= asterisk-11.13.1

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/urlresolvers.py

Vulnerability Details

The (1) FilePathField, (2) GenericIPAddressField, and (3) IPAddressField model field classes in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 do not properly perform type conversion, which allows remote attackers to have unspecified impact and vectors, related to "MySQL typecasting."

Publish Date: 2014-04-23

URL: CVE-2014-0474

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0474

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/d1_both.c

Vulnerability Details

The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

Publish Date: 2014-06-05

URL: CVE-2014-0221

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0221

Release Date: 2014-06-05

Fix Resolution: 0.9.8za,1.0.0m,1.0.1h

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The django.core.urlresolvers.reverse function in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 allows remote attackers to import and execute arbitrary Python modules by leveraging a view that constructs URLs using user input and a "dotted Python path."

Publish Date: 2014-04-23

URL: CVE-2014-0472

CVSS 2 Score Details (5.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0472

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.

Publish Date: 2018-04-21

URL: WS-2018-0069

CVSS 2 Score Details (3.7)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/572

Release Date: 2018-01-24

Fix Resolution: 1.4.1

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/s23_srvr.c

Vulnerability Details

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.

Publish Date: 2014-12-24

URL: CVE-2014-3569

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569

Release Date: 2014-12-24

Fix Resolution: OpenSSL_1_0_2a

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/django/urlresolvers.py

Vulnerability Details

The caching framework in Django before 1.4.11, 1.5.x before 1.5.6, 1.6.x before 1.6.3, and 1.7.x before 1.7 beta 2 reuses a cached CSRF token for all anonymous users, which allows remote attackers to bypass CSRF protections by reading the CSRF cookie for anonymous users.

Publish Date: 2014-04-23

URL: CVE-2014-0473

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0473

Release Date: 2014-04-23

Fix Resolution: 1.4.11,1.5.6,1.6.3,1.7 beta 2

Vulnerable Library - django1.4

The Web framework for perfectionists with deadlines.

Library home page: https://github.com/django/django.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (7)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/django/validators.py
• /github-scanner-test/django/paginator.py
• /github-scanner-test/django/signing.py
• /github-scanner-test/django/xheaders.py
• /github-scanner-test/django/exceptions.py
• /github-scanner-test/django/context_processors.py
• /github-scanner-test/django/urlresolvers.py

Vulnerability Details

The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors related to the REMOTE_USER header.

Publish Date: 2014-08-26

URL: CVE-2014-0482

CVSS 2 Score Details (6.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0482

Release Date: 2014-08-26

Fix Resolution: 1.4.14,1.5.9,1.6.6,1.7.1

Vulnerable Library - nodev1.6.4

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/nodejs/node.git

Found in HEAD commit: 38c8615a6d0a047787b5e7401328782154ba03e4

Library Source Files (37)

* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.

• /github-scanner-test/openssl/ssl/s23_srvr.c
• /github-scanner-test/openssl/ssl/ssl2.h
• /github-scanner-test/openssl/ssl/t1_reneg.c
• /github-scanner-test/openssl/ssl/d1_meth.c
• /github-scanner-test/openssl/ssl/t1_meth.c
• /github-scanner-test/openssl/ssl/s3_enc.c
• /github-scanner-test/openssl/ssl/t1_srvr.c
• /github-scanner-test/openssl/ssl/tls_srp.c
• /github-scanner-test/openssl/ssl/dtls1.h
• /github-scanner-test/openssl/ssl/ssl_stat.c
• /github-scanner-test/openssl/ssl/t1_clnt.c
• /github-scanner-test/openssl/ssl/s2_clnt.c
• /github-scanner-test/openssl/ssl/s2_enc.c
• /github-scanner-test/openssl/ssl/d1_clnt.c
• /github-scanner-test/openssl/ssl/d1_both.c
• /github-scanner-test/openssl/ssl/ssl_algs.c
• /github-scanner-test/openssl/ssl/ssl_cert.c
• /github-scanner-test/openssl/ssl/ssl_sess.c
• /github-scanner-test/openssl/ssl/s2_meth.c
• /github-scanner-test/is-my-json-valid/formats.js
• /github-scanner-test/openssl/ssl/ssl_rsa.c
• /github-scanner-test/openssl/ssl/d1_srtp.c
• /github-scanner-test/openssl/ssl/d1_enc.c
• /github-scanner-test/openssl/ssl/s23_meth.c
• /github-scanner-test/openssl/ssl/s23_lib.c
• /github-scanner-test/openssl/ssl/kssl_lcl.h
• /github-scanner-test/openssl/ssl/ssl_txt.c
• /github-scanner-test/openssl/ssl/ssl_asn1.c
• /github-scanner-test/openssl/ssl/tls1.h
• /github-scanner-test/openssl/ssl/srtp.h
• /github-scanner-test/openssl/ssl/s2_lib.c
• /github-scanner-test/openssl/ssl/ssl_locl.h
• /github-scanner-test/openssl/ssl/s2_pkt.c
• /github-scanner-test/openssl/ssl/kssl.h
• /github-scanner-test/openssl/ssl/kssl.c
• /github-scanner-test/openssl/ssl/s2_srvr.c
• /github-scanner-test/openssl/ssl/s3_meth.c

Vulnerability Details

An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.

Publish Date: 2016-03-02

URL: CVE-2016-0704

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0704

Release Date: 2016-03-02

Fix Resolution: 0.9.8zf,1.0.0r,1.0.1m,1.0.2a

Vulnerable Library - io.jsv8.0.0

Node.js JavaScript runtime ✨🐢🚀✨

Library home page: https://github.com/iojs/io.js.git

Found in HEAD commit: 8cd991d5c517f7c4db986d368921467ed43ddd02

Found in base branch: master

Vulnerable Source Files (1)

/openssl/ssl/d1_both.c

Vulnerability Details

Memory leak in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function.

Publish Date: 2014-08-13

URL: CVE-2014-3507

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3507

Release Date: 2014-08-13

Fix Resolution: 0.9.8zb,1.0.0n,1.0.1i