Multiple OpenSSL vulnerabilities have been found in Pulse Connect Secure (PCS).
| CVE Number | CVSS Base Score | CVE Issue Title |
|---|
| CVE-2011-4109 | 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check. |
| CVE-2011-4576 | 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer. |
| CVE-2011-4619 | 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service via unspecified vectors. |
| CVE-2012-0884 | 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) | The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. |
| CVE-2012-2110 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. |
