Vulnerability Details : CVE-2018-12384
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Exploit prediction scoring system (EPSS) score for CVE-2018-12384
Probability of exploitation activity in the next 30 days: 4.28%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-12384
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-12384
-
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12384
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | Oracle
-
https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384
1483128 - (CVE-2018-12384) ServerHello.random is all zero when handling a v2-compatible ClientHelloIssue Tracking;Vendor Advisory
Products affected by CVE-2018-12384
- cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*