CVE-2010-4180

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

Published: Dec 6, 2010
Updated: Apr 13, 2023
CVE: CVE-2010-4180
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
openssl / openssl	1.0.0	1.0.0c
openssl / openssl	-	0.9.8q
fedoraproject / fedora	13	13.x
fedoraproject / fedora	14	14.x
debian / debian_linux	5.0	5.0.x
canonical / ubuntu_linux	10.10	10.10.x
canonical / ubuntu_linux	9.04	9.04.x
canonical / ubuntu_linux	8.04	8.04.x
canonical / ubuntu_linux	10.04	10.04.x
canonical / ubuntu_linux	6.06	6.06.x
suse / linux_enterprise_desktop	11-sp1	11-sp1.x
opensuse / opensuse	11.1	11.1.x
suse / linux_enterprise_server	9	9.x
opensuse / opensuse	11.4	11.4.x
opensuse / opensuse	11.2	11.2.x
opensuse / opensuse	11.3	11.3.x
suse / linux_enterprise_desktop	10-sp3	10-sp3.x
suse / linux_enterprise_desktop	10-sp4	10-sp4.x
suse / linux_enterprise_server	10-sp4	10-sp4.x
suse / linux_enterprise_server	10-sp3	10-sp3.x
suse / linux_enterprise	11.0-sp1	11.0-sp1.x
f5 / nginx	-	0.9.2

Vulnerability Database

289,599

CVE-2010-4180