CVE-2018-12384

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-12384

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-12384.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-12384

Downstream

ALPINE-CVE-2018-12384

DEBIAN-CVE-2018-12384

RHSA-2018:2768

RHSA-2018:2898

SUSE-SU-2018:4235-1

SUSE-SU-2018:4236-1

SUSE-SU-2018:4236-2

UBUNTU-CVE-2018-12384

USN-3850-1

openSUSE-SU-2024:11058-1

Related

Published

2019-04-29T15:29:00Z

Modified

2025-08-09T19:01:27Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

When handling a SSLv2-compatible ClientHello request, the server doesn't generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3.

References

Affected packages