CVE-2018-12384

CVE Database · CVE-2018-12384

CVE-2018-12384

· N/AModified

CVSS v3.1

N/A

EPSS

1.49%

Published

Apr 29, 2019

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Weaknesses (CWE)

CWE-335

Affected Products (1)

mozilla · network_security_services (up to 3.39)vulnerable

References (4)

https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384

Issue TrackingVendor Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384

Issue TrackingVendor Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

KEV Catalog EPSS Scores Vendors All CVEs