Vulnerability Details : CVE-2014-2896
The DoAlert function in the (1) TLS and (2) DTLS implementations in wolfSSL CyaSSL before 2.9.4 allows remote attackers to have unspecified impact and vectors, which trigger memory corruption or an out-of-bounds read.
Vulnerability category: Memory Corruption
Exploit prediction scoring system (EPSS) score for CVE-2014-2896
Probability of exploitation activity in the next 30 days: 0.49%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-2896
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2014-2896
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2896
-
http://www.wolfssl.com/yaSSL/Blog/Entries/2014/4/11_wolfSSL_Security_Advisory__April_9%2C_2014.html
wolfSSL Security Advisory: April 9, 2014 - wolfSSLVendor Advisory
-
http://seclists.org/oss-sec/2014/q2/130
oss-sec: Re: CVE ids for CyaSSL 2.9.4?Mailing List;Third Party Advisory
-
http://seclists.org/oss-sec/2014/q2/126
oss-sec: CVE ids for CyaSSL 2.9.4?Mailing List;Third Party Advisory
-
http://www.wolfssl.com/yaSSL/Docs-cyassl-changelog.html
wolfSSL Changelog | wolfSSL Embedded SSL/TLS Library DocumentationVendor Advisory
Products affected by CVE-2014-2896
- cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*