Description
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
Remediation
References
Related Vulnerabilities
PostgreSQL Integer Overflow or Wraparound Vulnerability (CVE-2023-5869)
WordPress Plugin WPS Hide Login Security Bypass (1.9)
OpenSSL Observable Differences in Behavior to Error Inputs Vulnerability (CVE-2019-1559)
Squid Improper Input Validation Vulnerability (CVE-2020-25097)
Apache HTTP Server CVE-2019-0190 Vulnerability (CVE-2019-0190)