When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mozilla
Published: 2019-04-29T14:22:53
Updated: 2024-08-05T08:31:00.061Z
Reserved: 2018-06-14T00:00:00
Link: CVE-2018-12384
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-04-29T15:29:00.247
Modified: 2024-11-21T03:45:06.593
Link: CVE-2018-12384
Redhat