[Forgot Password]
Login  Register Subscribe

23631

 
 

126998

 
 

101924

 
 

909

 
 

80911

 
 

121

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2010-4252

Date: (C)2010-12-06   (M)2018-01-20 


OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.

CVSS Score: 7.5Access Vector: NETWORK
Exploit Score: 10.0Access Complexity: LOW
Impact Score: 6.4Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: PARTIAL
 Availability: PARTIAL





Reference:
SECTRACK-1024823
SECUNIA-42469
BID-45163
ADV-2010-3120
ADV-2010-3122
IAVM:2012-A-0148
IAVM:2012-A-0153
SSA:2010-340-01
SSRT100339
SSRT100475
http://cvs.openssl.org/chngview?cn=20098
http://openssl.org/news/secadv_20101202.txt
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
https://bugzilla.redhat.com/show_bug.cgi?id=659297
https://github.com/seb-m/jpake

CPE    76
cpe:/a:openssl:openssl:0.9.1c
cpe:/a:openssl:openssl:0.9.5a
cpe:/a:openssl:openssl:0.9.6:beta3
cpe:/a:openssl:openssl:0.9.6:beta1
...
CWE    1
CWE-287
OVAL    2
oval:org.secpod.oval:def:1092
oval:org.secpod.oval:def:848

© 2013 SecPod Technologies