CVE-2015-1788

Advisory lineage Upstream: 0 Downstream: 11
Modified
Published: 12 Jun 2015, 00:00
Last modified:06 Aug 2024, 04:54

Vulnerability Summary

Overall Risk (default)
low
20/100
CVSS Score
4.3 MEDIUM
v2.0 (nvd)
EPSS Score
15.91% MEDIUM
16% probability +0.63%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

12 Jun 2015, 00:00
Published
Vulnerability first disclosed
06 Aug 2024, 04:54
Last Modified
Vulnerability information updated

Description

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication.

CVSS Metrics

  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 15.91% Percentile: 95%

Techniques & Countermeasures

  • CWE-399Resource Management Errors

    Weaknesses in this category are related to improper management of system resources.

Affected Systems

  • UnknownOpenSSL

    ≤ 0.9.8zf | 1.0.0 | 1.0.0:beta1 | 1.0.0:beta2 | 1.0.0:beta3 | 1.0.0:beta4 | 1.0.0:beta5 | 1.0.0a | 1.0.0b | 1.0.0c | 1.0.0d | 1.0.0e | 1.0.0f | 1.0.0g | 1.0.0h | 1.0.0i | 1.0.0j | 1.0.0k | 1.0.0l | 1.0.0m | 1.0.0n | 1.0.0o | 1.0.0p | 1.0.0q | 1.0.0r | 1.0.1 | 1.0.1:beta1 | 1.0.1:beta2 | 1.0.1:beta3 | 1.0.1a | 1.0.1b | 1.0.1c | 1.0.1d | 1.0.1e | 1.0.1f | 1.0.1g | 1.0.1h | 1.0.1i | 1.0.1j | 1.0.1k | 1.0.1l | 1.0.1m | 1.0.2 | 1.0.2:beta1 | 1.0.2a

References (46)