Vulnerability Details : CVE-2008-5077
OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys.
Vulnerability category: Input validation
Products affected by CVE-2008-5077
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-5077
9.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-5077
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:P |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2008-5077
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-5077
-
http://www.securitytracker.com/id?1021523
GoDaddy Domain Name Search
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6380
404 Not Found
-
http://www.vupen.com/english/advisories/2009/1297
Webmail: access your OVH emails on ovhcloud.com | OVHcloudVendor Advisory
-
http://www.securityfocus.com/archive/1/499827/100/0/threaded
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9155
404 Not Found
-
http://www.ocert.org/advisories/ocert-2008-016.html
oCERT archive
-
http://support.avaya.com/elmodocs2/security/ASA-2009-038.htm
ASA-2009-038 (RHSA-2009-0004)
-
http://marc.info/?l=bugtraq&m=123859864430555&w=2
'[security bulletin] HPSBUX02418 SSRT090002 rev.1 - HP-UX Running OpenSSL, Remote Unauthorized Access' - MARC
-
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
[security-announce] openSUSE-SU-2011:0845-1: important: compat-openssl09
-
http://www.vupen.com/english/advisories/2009/0913
Site en constructionVendor Advisory
-
http://www.securityfocus.com/bid/33150
-
http://www.vupen.com/english/advisories/2009/0289
Site en constructionVendor Advisory
-
http://www.vupen.com/english/advisories/2009/0904
Site en constructionVendor Advisory
-
http://www.securityfocus.com/archive/1/502322/100/0/threaded
-
http://security.gentoo.org/glsa/glsa-200902-02.xml
OpenSSL: Certificate validation error (GLSA 200902-02) — Gentoo security
-
http://marc.info/?l=bugtraq&m=124277349419254&w=2
'[security bulletin] HPSBMA02426 SSRT090053 rev.1 - HP System Management Homepage (SMH) for Linux and' - MARC
-
http://www.vupen.com/english/advisories/2009/1338
Site en constructionVendor Advisory
-
http://voodoo-circle.sourceforge.net/sa/sa-20090123-01.html
VooDoo cIRCle security advisory 20090123-01
-
http://marc.info/?l=bugtraq&m=127678688104458&w=2
'[security bulletin] HPSBOV02540 SSRT090249 rev.1 - HP SSL for OpenVMS, Remote Unauthorized Data Inje' - MARC
-
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
-
http://www.vupen.com/english/advisories/2009/0362
Site en constructionVendor Advisory
-
http://www.openssl.org/news/secadv_20090107.txt
404 Page not found | Library
-
http://www.vupen.com/english/advisories/2009/0558
Site en constructionVendor Advisory
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.544796
The Slackware Linux Project: Slackware Security Advisories
-
https://usn.ubuntu.com/704-1/
404: Page not found | Ubuntu
-
http://www.vupen.com/english/advisories/2009/0040
Site en constructionVendor Advisory
-
http://sunsolve.sun.com/search/document.do?assetkey=1-66-250826-1
-
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
[security-announce] SUSE-SU-2011:0847-1: important: Security update for
-
http://support.apple.com/kb/HT3549
About the security content of Security Update 2009-002 / Mac OS X v10.5.7 - Apple Support
-
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=837653
-
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
Apple Updates for Multiple Vulnerabilities | CISAUS Government Resource
-
http://www.redhat.com/support/errata/RHSA-2009-0004.html
Support
-
http://www.vmware.com/security/advisories/VMSA-2009-0004.html
Support Content Notification - Support Portal - Broadcom support portal
Jump to