Vulnerability Details : CVE-2018-12384
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Products affected by CVE-2018-12384
- cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12384
4.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12384
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-12384
-
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12384
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | Oracle
-
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384
1483128 - (CVE-2018-12384) ServerHello.random is all zero when handling a v2-compatible ClientHelloIssue Tracking;Vendor Advisory
Jump to