OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2010-12-06T21:00:00
Updated: 2017-09-18T12:57:01
Reserved: 2010-11-04T00:00:00
Link: CVE-2010-4180
JSON object: View
NVD Information
Status : Analyzed
Published: 2010-12-06T21:05:48.687
Modified: 2022-08-04T19:59:42.243
Link: CVE-2010-4180
JSON object: View
Redhat Information
No data.
CWE