Stunnel
CVE-2013-1762
MEDIUM
Severity by source
AV:N/AC:H/Au:N/C:P/I:P/A:C
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:H/Au:N/C:P/I:P/A:C
Lifecycle Timeline
1DescriptionCVE.org
stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow.
AnalysisAI
stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. stunnel 4.21 through 4.54, when CONNECT protocol negotiation and NTLM authentication are enabled, does not correctly perform integer conversion, which allows remote proxy servers to execute arbitrary code via a crafted request that triggers a buffer overflow. Affected products include: Stunnel. Version information: through 4.54.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.
A flaw was found in stunnel before 5.57, where it improperly validates client certificates when it is configured to use
Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server a
stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number g
Same weakness CWE-94 – Code Injection
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today