发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:27:58

[原文]Vulnerability in PureTLS before 0.9b2 related to injection attacks, which could possibly allow remote attackers to corrupt or hijack user sessions.

[CNNVD]Claymore PureTLS注入攻击漏洞(CNNVD-200208-077)

        PureTLS 0.9b2版本漏洞与注入攻击有关。远程攻击者可能利用该漏洞破坏或劫持用户会话。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  puretls-injection-attack(8386)
(UNKNOWN)  BUGTRAQ  20020305 PureTLS Security Announcement: Upgrade to 0.9b2

- 漏洞信息

Claymore PureTLS注入攻击漏洞
高危 未知
2002-08-12 00:00:00 2005-10-20 00:00:00
        PureTLS 0.9b2版本漏洞与注入攻击有关。远程攻击者可能利用该漏洞破坏或劫持用户会话。

- 公告与补丁

        An updated version is available:
        Claymore Systems Inc PureTLS 0.9 b1

- 漏洞信息

PureTLS Session Corruption and Hijacking
Remote / Network Access Denial of Service
Loss of Confidentiality, Loss of Integrity, Loss of Availability

- 漏洞描述

PureTLS Java implementation of SSLv3/TLS contains a flaw that may allow a malicious user to corrupt or hijack a web session. Details of how this issue is triggered have been withheld. It is possible that the flaw may result in a loss of confidentiality, integrity, and/or availability.

- 时间线

2002-03-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 0.9b2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Claymore PureTLS Injection Attack Vulnerability
Unknown 4237
Yes No
2002-03-01 12:00:00 2009-07-11 10:56:00
Published in a PureTLS Security Announcement.

- 受影响的程序版本

Claymore Systems Inc PureTLS 0.9 b1
Claymore Systems Inc PureTLS 0.9 b2

- 不受影响的程序版本

Claymore Systems Inc PureTLS 0.9 b2

- 漏洞讨论

Claymore PureTLS is a Java implementation of the SSLv3 and TLS protocols. The Secure Socket Layer (SSL) protocol is used to provide private communications over the internet. The Transit Layer Security (TLS) protocol is intended to provide privacy and data integrity, and encapsulate higher level protocols.

A vulnerability has been announced in some versions of PureTLS. Reportedly, earlier versions of PureTLS suffer from a possible injection attack. Although technical details are not currently available, this class of attack may allow malicious parties to subvert protected communications.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

An updated version is available:

Claymore Systems Inc PureTLS 0.9 b1

- 相关参考