Information Exposure Affecting openssl package, versions >=1.0.0, <1.0.211


0.0
medium

Snyk CVSS

    Exploit Maturity Mature
    Attack Complexity High
    Confidentiality High
Expand this section
SUSE
4.8 medium
Expand this section
NVD
4.7 medium
Expand this section
RHEL
4.8 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-COCOAPODS-OPENSSL-471323
  • published 2 Oct 2019
  • disclosed 7 Nov 2018
  • credit Unknown

How to fix?

Upgrade OpenSSL to version 1.0.211 or higher.

Overview

OpenSSL is a SSL/TLS and Crypto toolkit. Deprecated in Mac OS and gone in iOS, this spec gives your project non-deprecated OpenSSL support.

Affected versions of this package are vulnerable to Information Exposure openssl is vulnerable to timing attack. An attacker with access to mount a local timing attack during the ECDSA signature generation is able to exploit the vulnerability in the ECC scalar mmultiplication to recover the private key.