OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
No history.
Information
Published : 2010-12-06 21:05
Updated : 2025-04-11 00:51
NVD link : CVE-2010-4180
Mitre link : CVE-2010-4180
CVE.ORG link : CVE-2010-4180
JSON object : View
Products Affected
suse
- linux_enterprise_desktop
- linux_enterprise
- linux_enterprise_server
fedoraproject
- fedora
debian
- debian_linux
canonical
- ubuntu_linux
f5
- nginx
openssl
- openssl
opensuse
- opensuse
CWE