Information Exposure Affecting openssl-universal package, versions >=1.0.2, <1.0.2.17


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.81% (82nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-COCOAPODS-OPENSSLUNIVERSAL-535622
  • published2 Oct 2019
  • disclosed11 Apr 2018
  • creditAlejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia

Introduced: 11 Apr 2018

CVE-2018-0737  (opens in a new tab)
CWE-208  (opens in a new tab)

How to fix?

Upgrade OpenSSL-Universal to version 1.0.2.17 or higher.

Overview

OpenSSL-Universal is a complete solution to OpenSSL on iOS and OSX

Affected versions of this package are vulnerable to Information Exposure via timing (side-channel) attacks. The vulnerability exists due to the lack of constant time comparison during the RSA key generation of p and q, resulting in the potential ability to recover the private key.

CVSS Scores

version 3.1