Search for vulnerabilities
Vulnerability details: VCID-t1yp-se6m-gbg9
Vulnerability ID VCID-t1yp-se6m-gbg9
Aliases CVE-2017-13098
GHSA-wrwf-pmmj-w989
Summary
Status Published
Exploitability 2.0
Weighted Severity 6.2
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-203 Observable Discrepancy
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-300 Channel Accessible by Non-Endpoint
System Score Found at
cvssv3.1 5.9 http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-13098.json
epss 0.72268 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.72268 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.72268 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
epss 0.7563 https://api.first.org/data/v1/epss?cve=CVE-2017-13098
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wrwf-pmmj-w989
cvssv3.1 5.9 https://github.com/bcgit/bc-java
generic_textual MODERATE https://github.com/bcgit/bc-java
cvssv3.1 5.9 https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
generic_textual MODERATE https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2017-13098
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2017-13098
cvssv3.1 5.9 https://robotattack.org
generic_textual MODERATE https://robotattack.org
cvssv3.1 5.9 https://security.netapp.com/advisory/ntap-20171222-0001
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20171222-0001
cvssv3.1 5.9 https://www.debian.org/security/2017/dsa-4072
generic_textual MODERATE https://www.debian.org/security/2017/dsa-4072
cvssv3.1 5.9 https://www.oracle.com/security-alerts/cpuoct2020.html
generic_textual MODERATE https://www.oracle.com/security-alerts/cpuoct2020.html
cvssv3.1 5.9 http://www.kb.cert.org/vuls/id/144389
generic_textual MODERATE http://www.kb.cert.org/vuls/id/144389
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-13098.json
https://api.first.org/data/v1/epss?cve=CVE-2017-13098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098
https://github.com/bcgit/bc-java
https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
https://nvd.nist.gov/vuln/detail/CVE-2017-13098
https://robotattack.org
https://robotattack.org/
https://security.netapp.com/advisory/ntap-20171222-0001
https://security.netapp.com/advisory/ntap-20171222-0001/
https://www.debian.org/security/2017/dsa-4072
https://www.oracle.com/security-alerts/cpuoct2020.html
http://www.kb.cert.org/vuls/id/144389
1525528 https://bugzilla.redhat.com/show_bug.cgi?id=1525528
884241 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884241
GHSA-wrwf-pmmj-w989 https://github.com/advisories/GHSA-wrwf-pmmj-w989
Data source Metasploit
Description Some TLS implementations handle errors processing RSA key exchanges and encryption (PKCS #1 v1.5 messages) in a broken way that leads an adaptive chosen-chiphertext attack. Attackers cannot recover a server's private key, but they can decrypt and sign messages with it. A strong oracle occurs when the TLS server does not strictly check message formatting and needs less than a million requests on average to decode a given ciphertext. A weak oracle server strictly checks message formatting and often requires many more requests to perform the attack. This module requires Python 3 with the gmpy2 and cryptography packages to be present.
Note 
AKA:
  - ROBOT
  - Adaptive chosen-ciphertext attack
Ransomware campaign use Unknown
Source publication date June 17, 2009
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-13098.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/bcgit/bc-java
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-13098
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://robotattack.org
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20171222-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.debian.org/security/2017/dsa-4072
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.oracle.com/security-alerts/cpuoct2020.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.kb.cert.org/vuls/id/144389
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.98703
EPSS Score 0.72268
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T07:58:52.824000+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 37.0.0