CVE-2016-0798
high-risk
Published 2016-03-03
Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.
Do I need to act?
!
26.0% chance of exploitation in next 30 days
EPSS score — higher than 74% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (50)
Vendor Advisory
http://openssl.org/news/secadv/20160301.txt
and 30 more references
64
/ 100
high-risk
Severity
26/34 · High
Exploitability
15/34 · Moderate
Exposure
23/34 · High