CVE-2010-4180

Source
https://nvd.nist.gov/vuln/detail/CVE-2010-4180
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2010-4180.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2010-4180
Related
Published
2010-12-06T21:05:48Z
Modified
2024-09-11T02:00:07Z
Summary
[none]
Details

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSLOPNETSCAPEREUSECIPHERCHANGEBUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

References

Affected packages

Debian:11 / openssl

Package

Name
openssl
Purl
pkg:deb/debian/openssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8o-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / openssl

Package

Name
openssl
Purl
pkg:deb/debian/openssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8o-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / openssl

Package

Name
openssl
Purl
pkg:deb/debian/openssl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.9.8o-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}