CVE-2002-0082

The dbm and shm session cache code in mod_ssl before 2.8.7-1.3.23, and Apache-SSL before 1.3.22+1.46, does not properly initialize memory using the i2d_SSL_SESSION function, which allows remote attackers to use a buffer overflow to execute arbitrary code via a large client certificate that is signed by a trusted Certificate Authority (CA), which produces a large serialized session.

Published: Mar 15, 2002
Updated: Apr 13, 2023
CVE: CVE-2002-0082
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
mod_ssl / mod_ssl	2.8.3	2.8.3.x
apache-ssl / apache-ssl	1.41	1.41.x
mod_ssl / mod_ssl	2.8.6	2.8.6.x
mod_ssl / mod_ssl	2.8.5	2.8.5.x
apache-ssl / apache-ssl	1.45	1.45.x
apache-ssl / apache-ssl	1.44	1.44.x
mod_ssl / mod_ssl	2.8.2	2.8.2.x
mod_ssl / mod_ssl	2.8.1	2.8.1.x
mod_ssl / mod_ssl	2.8	2.8.x
apache-ssl / apache-ssl	1.46	1.46.x
apache-ssl / apache-ssl	1.42	1.42.x
mod_ssl / mod_ssl	2.7.1	2.7.1.x
apache-ssl / apache-ssl	1.40	1.40.x
mod_ssl / mod_ssl	2.8.4	2.8.4.x

Vulnerability Database

289,599

CVE-2002-0082