1. Home
  2. Security Advisories
  3. NGINX
  4. NGINX:CVE-2014-3616

[NGINX:CVE-2014-3616] SSL session reuse vulnerability

Severity Medium
Affected Packages 1
Unaffected Packages 2
CVEs 1
Info Packages Vulnerabilities

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

Package Affected Version
pkg:nginx/nginx >= 0.5.6, <= 1.7.4
Package Unaffected Version
pkg:nginx/nginx >= 1.7.5
pkg:nginx/nginx >= 1.6.2
ID
NGINX:CVE-2014-3616
Severity
medium
Published
2014-12-08T11:59:03
(9 years ago)
Modified
2014-12-08T11:59:03
(9 years ago)
Rights
NGINX Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:nginx/nginx nginx >= 0.5.6 <= 1.7.4
Unaffected pkg:nginx/nginx nginx >= 1.7.5
Unaffected pkg:nginx/nginx nginx >= 1.6.2
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date