VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-pzng-q94v-aaah

Essentials
Severities (104)
References (38)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-pzng-q94v-aaah
Aliases	CVE-2019-1552 VC-OPENSSL-20190730-CVE-2019-1552
Summary	OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.
Status	Published
Exploitability	0.5
Weighted Severity	7.0
Risk	3.5
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-295

Improper Certificate Validation

System	Score	Found at
cvssv3	3.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1552.json
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00135	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00148	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00152	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00152	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00152	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00166	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.0017	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00172	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00208	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00208	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00208	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00208	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
epss	0.00208	https://api.first.org/data/v1/epss?cve=CVE-2019-1552
rhbs	low	https://bugzilla.redhat.com/show_bug.cgi?id=1745637
cvssv2	1.9	https://nvd.nist.gov/vuln/detail/CVE-2019-1552
cvssv3	3.3	https://nvd.nist.gov/vuln/detail/CVE-2019-1552
generic_textual	Low	https://www.openssl.org/news/secadv/20190730.txt
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpuapr2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpuapr2020.html
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpujan2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpujan2020.html
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpujul2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpujul2020.html
cvssv3.1	9.8	https://www.oracle.com/security-alerts/cpuoct2020.html
generic_textual	CRITICAL	https://www.oracle.com/security-alerts/cpuoct2020.html
cvssv3.1	9.8	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
generic_textual	CRITICAL	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
cvssv3.1	6.1	https://www.tenable.com/security/tns-2019-08
generic_textual	MODERATE	https://www.tenable.com/security/tns-2019-08
cvssv3.1	8.8	https://www.tenable.com/security/tns-2019-09
generic_textual	HIGH	https://www.tenable.com/security/tns-2019-09

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1552.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-1552
		https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
		https://github.com/openssl/openssl/commit/54aa9d51b09d67e90db443f682cface795f5af9e
		https://github.com/openssl/openssl/commit/b15a19c148384e73338aa7c5b12652138e35ed28
		https://github.com/openssl/openssl/commit/d333ebaf9c77332754a9d5e111e2f53e1de54fdd
		https://github.com/openssl/openssl/commit/e32bc855a81a2d48d215c506bdeb4f598045f7e9
		https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e
		https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28
		https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
		https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9
		https://kc.mcafee.com/corporate/index?page=content&id=SB10365
		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
		https://security.netapp.com/advisory/ntap-20190823-0006/
		https://support.f5.com/csp/article/K94041354
		https://support.f5.com/csp/article/K94041354?utm_source=f5support&amp%3Butm_medium=RSS
		https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS
		https://www.kb.cert.org/vuls/id/429301
		https://www.openssl.org/news/secadv/20190730.txt
		https://www.oracle.com/security-alerts/cpuapr2020.html
		https://www.oracle.com/security-alerts/cpujan2020.html
		https://www.oracle.com/security-alerts/cpujul2020.html
		https://www.oracle.com/security-alerts/cpuoct2020.html
		https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
		https://www.tenable.com/security/tns-2019-08
		https://www.tenable.com/security/tns-2019-09
1745637		https://bugzilla.redhat.com/show_bug.cgi?id=1745637
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
CVE-2019-1552		https://nvd.nist.gov/vuln/detail/CVE-2019-1552

No exploits are available.

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1552.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1552

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1552

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuapr2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujan2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpujul2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/security-alerts/cpuoct2020.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.tenable.com/security/tns-2019-08

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.tenable.com/security/tns-2019-09

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.49796
EPSS Score	0.00135
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.