Re: CVE-2013-4353 and CVSS v2 vector with Authentication set to None
Sorry folks - I was fixated on something else to see the obvious. -Amarendra On Sun, Jan 26, 2014 at 10:22 AM, Amarendra Godbole wrote: > Hi, > > I am analyzing CVE-2013-4353, and the CVSS vector mentions Au > parameter to N [1] From what I understand, the culprit code is called > in the Server Finish message of the handshake, which is the last step > - by this time the client has authenticated the server (step 3). So > why does the CVSS vector mention authentication to be None? > > Thanks. > > -ag > > [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 > CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CVE-2013-4353 and CVSS v2 vector with Authentication set to None
Hi, I am analyzing CVE-2013-4353, and the CVSS vector mentions Au parameter to N [1] From what I understand, the culprit code is called in the Server Finish message of the handshake, which is the last step - by this time the client has authenticated the server (step 3). So why does the CVSS vector mention authentication to be None? Thanks. -ag [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CVE-2013-4353 and CVSS v2 vector with Authentication set to None
Hi, I am analyzing CVE-2013-4353, and the CVSS vector mentions Au parameter to N [1] From what I understand, the culprit code is called in the Server Finish message of the handshake, which is the last step - by this time the client has authenticated the server (step 3). So why does the CVSS vector mention authentication to be None? Thanks. -ag [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org