Vulnerability Details : CVE-2016-6303
Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
Vulnerability category: OverflowMemory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2016-6303
Probability of exploitation activity in the next 30 days: 28.94%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-6303
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2016-6303
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6303
-
http://www.securitytracker.com/id/1036885
OpenSSL Multiple Bugs Let Remote Users Cause the Target Service to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Oracle Critical Patch Update - April 2018Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/92984
OpenSSL CVE-2016-6303 Integer Overflow VulnerabilityThird Party Advisory;VDB Entry
-
https://www.tenable.com/security/tns-2016-20
[R3] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - January 2018Patch;Third Party Advisory
-
https://www.tenable.com/security/tns-2016-21
[R2] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312
Pulse Security Advisory: SA40312 - September 22 2016 OpenSSL Security AdvisoryThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017Patch;Third Party Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=swg21995039
IBM notice: The page you requested cannot be displayedThird Party Advisory
-
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Security updates for all active release lines, September 2016 | Node.jsThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Oracle Critical Patch Update - October 2016Patch;Third Party Advisory
-
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc
Third Party Advisory
-
https://www.tenable.com/security/tns-2016-16
[R7] Nessus 6.9 Fixes Multiple Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=55d83bf7c10c7b205fffa23fa7c3977491e56c07
git.openssl.org Git
-
https://bto.bluecoat.com/security-advisory/sa132
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016Third Party Advisory
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Juniper Networks - 2016-10 Security Bulletin: OpenSSL security updatesThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017Patch;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1370146
1370146 – (CVE-2016-6303) CVE-2016-6303 openssl: Integer overflow in MDC2_Update()Issue Tracking;Patch;Third Party Advisory
Products affected by CVE-2016-6303
- cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*