CVE-2013-0166

Description

OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.

Category

5.0
CVSS
Severity: Medium
CVSS 2.0 •
EPSS 5.33% Top 15%
Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory opensuse.org Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory apple.com Vendor Advisory redhat.com Vendor Advisory opensuse.org Vendor Advisory openssl.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=66e8211c0b1347970096e04b18aa52567c325200
http://rhn.redhat.com/errata/RHSA-2013-0587.html vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19360 signature vdb entry
http://secunia.com/advisories/55139 third party advisory
http://www.openssl.org/news/secadv_20130204.txt vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=908052
http://marc.info/?l=bugtraq&m=136396549913849&w=2 vendor advisory
http://marc.info/?l=bugtraq&m=137545771702053&w=2 vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html vendor advisory
http://marc.info/?l=bugtraq&m=136432043316835&w=2 vendor advisory
http://rhn.redhat.com/errata/RHSA-2013-0833.html vendor advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=62e4506a7d4cec1c8e1ff687f6b220f6a62a57c7
http://secunia.com/advisories/53623 third party advisory
http://www.kb.cert.org/vuls/id/737740 third party advisory us government resource
http://www.debian.org/security/2013/dsa-2621 vendor advisory
http://rhn.redhat.com/errata/RHSA-2013-0783.html vendor advisory
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html vendor advisory
http://secunia.com/advisories/55108 third party advisory
http://rhn.redhat.com/errata/RHSA-2013-0782.html vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html vendor advisory
http://www.splunk.com/view/SP-CAAAHXG
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19487 signature vdb entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18754 signature vdb entry
http://support.apple.com/kb/HT5880
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19081 signature vdb entry
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ebc71865f0506a293242bd4aec97cdc7a8ef24b0

Frequently Asked Questions

What is the severity of CVE-2013-0166?
CVE-2013-0166 has been scored as a medium severity vulnerability.
How to fix CVE-2013-0166?
To fix CVE-2013-0166, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2013-0166 being actively exploited in the wild?
It is possible that CVE-2013-0166 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~5% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.