What is CVE-2014-3616?

CVE-2014-3616 is a vulnerability in F5 Nginx, classified under Insufficient Session Expiration. Published 2014-12-08.

Is CVE-2014-3616 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in F5 Nginx

CVE-2014-3616

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to condu…

EPSS: 0.024 (85.5th percentile) — read the EPSS interpretation.

Affected products

F5 Nginx
Debian Debian_linux — versions 7.0, 8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-613 — Insufficient Session Expiration

Public proof-of-concept exploits

addisonburkett/cve_

References

[nginx-announce] 20140916 nginx security advisory (CVE-2014-3616) (Vendor Advisory, mailing-list, x_refsource_MLIST)
DSA-3029 (vendor-advisory, Third Party Advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2014-3616?: CVE-2014-3616 is a vulnerability in F5 Nginx, classified under Insufficient Session Expiration. Published 2014-12-08.
Is CVE-2014-3616 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.