The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Cryptographic Issues vulnerabilities in an interactive lesson.
Start learningUpgrade openssl-src
to version 300.0.10 or higher.
openssl-src is a crate that contains the logic to build OpenSSL and is intended to be consumed by the openssl-sys crate.
Affected versions of this package are vulnerable to Cryptographic Issues due to incorrect handling of legacy custom ciphers passed to the EVP_EncryptInit_ex2()
, EVP_DecryptInit_ex2()
and EVP_CipherInit_ex2()
functions, when it incorrectly tries to fetch an equivalent cipher from the available providers.
Exploiting this vulnerability is possible when an application incorrectly passes NID_undef
as this value in the call to EVP_CIPHER_meth_new()
. When NID_undef
is used in this way the OpenSSL encryption/decryption initialization function will match the NULL cipher as being equivalent and will fetch this from the available providers.
Notes:
1)Applications are only affected by this issue if they call EVP_CIPHER_meth_new()
using NID_undef
and subsequently use it in a call to an encryption/decryption initialization function.
2)Applications that only use SSL/TLS are not impacted by this issue.