HIGH 7.4
CVE-2014-0224
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVSS v3
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
89.7%
percentile 99.6%
Affected tracked apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| python | python | Windows | ≥2.7.0 <2.7.8 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |
| python | python | Windows | ≥3.4.0 <3.4.2 | cpe:2.3:a:python:python:*:*:*:*:*:*:*:* |