VDB
CVE-2002-0082
CVE-2002-0082
PUBLISHED
CVSS 7.5 HIGH
The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.
EPSS 2.33% · 85.1th percentile
Risk Scores
CVSS 2.0
7.5
EPSS Score
2.33%
85.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| apache-ssl | apache-ssl | 1.42, 1.45, 1.41 |
| n/a | n/a | n/a |
| mod_ssl | mod_ssl | 2.8.6, 2.8.3, 2.7.1 |
Timeline
- Mar 15, 2002 CVE Published
- Jul 10, 2019 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- Apr 30, 2022 CVE Updated
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 27, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 26, 2023 EPSS Score
References
- CSSA-2002-011.0 vendor-advisory
- 4189 vdb
- RHSA-2002:045 vendor-advisory
- HPSBUX0204-190 vendor-advisory
- 20020301 Apache-SSL buffer overflow (fix available) mailing-list
- 20020227 mod_ssl Buffer Overflow Condition (Update Available) mailing-list
- MDKSA-2002:020 vendor-advisory
- ESA-20020301-005 vendor-advisory
- 20020304 Apache-SSL 1.3.22+1.47 - update to security fix mailing-list
- RHSA-2002:042 vendor-advisory
- apache-modssl-bo(8308) vdb
- RHSA-2002:041 vendor-advisory
- http://www.apacheweek.com/issues/02-03-01#security url
- SSRT0817 vendor-advisory
- CLA-2002:465 vendor-advisory
- HPSBTL0203-031 vendor-advisory
- DSA-120 vendor-advisory
- http://packetstormsecurity.com/files/153567/Apache-mod_ssl-OpenSSL-Remote-Buffer-Overflow.html url
- https://nvd.nist.gov/vuln/detail/CVE-2002-0082 advisory