CVE-2018-12384

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
29/04/2019
Last modified:
24/08/2020

Description

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:* 3.39 (excluding)