Out-of-Bounds Affecting openssl package, versions [1.0.1,1.0.1a)[1.0.0,1.0.0i)[,0.9.8v)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
11.96% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-OPENSSL-2318714
  • published14 Dec 2021
  • disclosed19 Apr 2012
  • creditUnknown

Introduced: 19 Apr 2012

CVE-2012-2110  (opens in a new tab)
CWE-119  (opens in a new tab)

How to fix?

Upgrade openssl to version 1.0.1a, 1.0.0i, 0.9.8v or higher.

Overview

Affected versions of this package are vulnerable to Out-of-Bounds. The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

CVSS Base Scores

version 3.1