OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
References
Configurations
Configuration 1 (hide)
|
History
13 Feb 2023, 04:28
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. |
02 Feb 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | CVE-2010-4252 openssl: session key retrieval flaw in J-PAKE implementation |
Information
Published : 2010-12-06 21:05
Updated : 2023-12-10 11:03
NVD link : CVE-2010-4252
Mitre link : CVE-2010-4252
CVE.ORG link : CVE-2010-4252
JSON object : View
Products Affected
openssl
- openssl
CWE
CWE-287
Improper Authentication