CVE-2018-12384
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/04/2019
Last modified:
24/08/2020
Description
When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Impact
Base Score 3.x
5.90
Severity 3.x
MEDIUM
Base Score 2.0
4.30
Severity 2.0
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* | 3.39 (excluding) |
To consult the complete list of CPE names with products and versions, see this page