Detections
Analytics

CVE-2010-4180

high

Description

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18910

https://bugzilla.redhat.com/show_bug.cgi?id=659462

http://www.vupen.com/english/advisories/2011/0268

http://www.vupen.com/english/advisories/2011/0076

http://www.vupen.com/english/advisories/2011/0032

http://www.vupen.com/english/advisories/2010/3188

http://www.vupen.com/english/advisories/2010/3134

http://www.vupen.com/english/advisories/2010/3122

http://www.vupen.com/english/advisories/2010/3120

http://www.securityfocus.com/bid/45164

http://www.securityfocus.com/archive/1/522176

http://www.redhat.com/support/errata/RHSA-2011-0896.html

http://www.redhat.com/support/errata/RHSA-2010-0979.html

http://www.redhat.com/support/errata/RHSA-2010-0978.html

http://www.redhat.com/support/errata/RHSA-2010-0977.html

http://www.mandriva.com/security/advisories?name=MDVSA-2010:248

http://www.kb.cert.org/vuls/id/737740

http://www.debian.org/security/2011/dsa-2141

http://ubuntu.com/usn/usn-1029-1

http://support.apple.com/kb/HT4723

http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471

http://secunia.com/advisories/44269

http://secunia.com/advisories/43173

http://secunia.com/advisories/43172

http://secunia.com/advisories/43171

http://secunia.com/advisories/43170

http://secunia.com/advisories/43169

http://secunia.com/advisories/42877

http://secunia.com/advisories/42811

http://secunia.com/advisories/42620

http://secunia.com/advisories/42571

http://secunia.com/advisories/42493

http://secunia.com/advisories/42473

http://secunia.com/advisories/42469

http://openssl.org/news/secadv_20101202.txt

http://marc.info/?l=bugtraq&m=132077688910227&w=2

http://marc.info/?l=bugtraq&m=130497251507577&w=2

http://marc.info/?l=bugtraq&m=129916880600544&w=2

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html

Details

Source: Mitre, NVD

Published: 2010-12-06

Updated: 2022-08-04

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High