Sorry folks - I was fixated on something else to see the obvious. -Amarendra
On Sun, Jan 26, 2014 at 10:22 AM, Amarendra Godbole <[email protected]> wrote: > Hi, > > I am analyzing CVE-2013-4353, and the CVSS vector mentions Au > parameter to N [1] From what I understand, the culprit code is called > in the Server Finish message of the handshake, which is the last step > - by this time the client has authenticated the server (step 3). So > why does the CVSS vector mention authentication to be None? > > Thanks. > > -ag > > [1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353 > CVSS v2 Base Score:4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
