Hi, I am analyzing CVE-2013-4353, and the CVSS vector mentions Au parameter to N [1] From what I understand, the culprit code is called in the Server Finish message of the handshake, which is the last step - by this time the client has authenticated the server (step 3). So why does the CVSS vector mention authentication to be None?
Thanks. -ag [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org