Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2014-3616

Published: 08/12/2014 Updated: 10/11/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Nginx

Vulnerability Summary

nginx 0.5.6 up to and including 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

f5 nginx

debian debian linux 7.0

debian debian linux 8.0

Vendor Advisories

Ubuntu Security Notice: nginx vulnerability
nginx could be made to expose sensitive information over the network ...
Debian Security Advisories: DSA-3029-1 nginx -- security update
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered that it was possible to reuse cached SSL sessions in unrelated contexts, allowing virtual host confusion attacks in some configurations by an attacker in a privileged network position For the stable distribution (wheezy), this problem has been fixed in version 121-22+wheezy3 For the ...
Debian CVElist Bug Report Logs: nginx: resolver CVEs: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747
Debian Bug report logs - #812806 nginx: resolver CVEs: CVE-2016-0742 CVE-2016-0746 CVE-2016-0747 Package: src:nginx; Maintainer for src:nginx is Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-listsdebiannet>; Reported by: Christos Trochalakis <yatiohi@ideopolisgr> Date: Tue, 26 Jan 2016 18:03:01 UTC Severi ...
Debian CVElist Bug Report Logs: nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts
Debian Bug report logs - #761940 nginx:CVE-2014-3616: possible to reuse cached SSL sessions in unrelated contexts Package: src:nginx; Maintainer for src:nginx is Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 17 Sep 2014 05:09: ...
Amazon Linux AMI: ALAS-2014-421
A virtual host confusion issue was found in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin This leads to a variety of issues, such as cookie theft and session hijacking It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on ...

References

CWE-613http://www.debian.org/security/2014/dsa-3029http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.htmlhttps://usn.ubuntu.com/2351-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
injectionCVE-2024-30983CVE-2023-4235CVE-2024-21338privilegeencryptionCVE-2023-4232CVE-2024-31497CVE-2024-32341
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook