CVE-2024-41996

ADVISORY - ubuntu

Summary

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

EPSS Score⁠: 0.00157 (0.376)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-295⁠

Improper Certificate Validation

ADVISORY - redhat

CWE-295⁠

Improper Certificate Validation

Impacted images

Advisories

Ubuntu

CREATED

9 months ago

UPDATED

10 days ago

ADVISORY IDCVE-2024-41996⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Package	Type	OS Name	OS Version	Affected Ranges	Fix Versions
ubuntu/openssl	deb	ubuntu	22.04	>=0	Not yet available
ubuntu/openssl	deb	ubuntu	24.10	>=0	Not yet available
ubuntu/openssl	deb	ubuntu	24.04	>=0	Not yet available

Severity and metrics

No CVSS data available from this advisory.

NIST

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY IDCVE-2024-41996⁠

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

7.5high

Amazon

CREATED

7 months ago

UPDATED

7 months ago

ADVISORY IDALAS2023-2024-727⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Amedium

Red Hat

CREATED

9 months ago

UPDATED

2 months ago

ADVISORY IDCVE-2024-41996⁠

EXPLOITABILITY SCORE

2.2

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

5.9low