CVE-2018-12384

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

Published: Apr 29, 2019
Updated: Apr 13, 2023
CVE: CVE-2018-12384
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-335

Affected Software
References

Software	From	Fixed in
mozilla / network_security_services	-	3.39

https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Vulnerability Database

289,599

CVE-2018-12384