CVE-2015-1791 (Medium) detected in opensslOpenSSL_1_0_1i - autoclosed

[mend-bolt-for-github]

CVE-2015-1791 - Medium Severity Vulnerability

Vulnerable Library - opensslOpenSSL_1_0_1i

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in base branch: archived-io.js-v0.10

Vulnerable Source Files (6)

node/deps/openssl/openssl/ssl/ssl_sess.c
node/deps/openssl/openssl/ssl/ssl_sess.c
node/deps/openssl/openssl/ssl/ssl_locl.h
node/deps/openssl/openssl/ssl/ssl_err.c
node/deps/openssl/openssl/ssl/s3_clnt.c
node/deps/openssl/openssl/ssl/ssl_sess.c

Vulnerability Details

Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier.

Publish Date: 2015-06-12

URL: CVE-2015-1791

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1791

Release Date: 2015-06-12

Fix Resolution: 0.9.8zg,1.0.0s,1.0.1n,1.0.2b

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

[mend-bolt-for-github]

✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.