CVE-2014-3616

EUVD-2014-3580
nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
f5nginx
0.5.6 ≤
𝑥
< 1.6.2
f5nginx
1.7.0 ≤
𝑥
< 1.7.5
debiandebian_linux
7.0
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nginx
bookworm
1.22.1-9
fixed
bullseye
1.18.0-6.1+deb11u3
fixed
bullseye (security)
1.18.0-6.1+deb11u3
fixed
sid
1.26.0-3
fixed
trixie
1.26.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nginx
lucid
ignored
precise
Fixed 1.1.19-1ubuntu0.7
released
trusty
Fixed 1.4.6-1ubuntu3.1
released
utopic
not-affected
Common Weakness Enumeration
References
http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html
http://www.debian.org/security/2014/dsa-3029
http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html
http://www.debian.org/security/2014/dsa-3029