{"api_version":"1","generated_at":"2026-04-23T05:05:28+00:00","cve":"CVE-2018-0733","urls":{"html":"https://cve.report/CVE-2018-0733","api":"https://cve.report/api/cve/CVE-2018-0733.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-0733","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-0733"},"summary":{"title":"CVE-2018-0733","description":"Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).","state":"PUBLIC","assigner":"openssl-security@openssl.org","published_at":"2018-03-27 21:29:00","updated_at":"2023-11-07 02:51:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/103517","name":"103517","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"OpenSSL CVE-2018-0733 Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f","name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201811-21","name":"GLSA-201811-21","refsource":"GENTOO","tags":[],"title":"OpenSSL: Multiple vulnerabilities (GLSA 201811-21) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","name":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","refsource":"CONFIRM","tags":[],"title":"CPU July 2018","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20180330-0002/","name":"https://security.netapp.com/advisory/ntap-20180330-0002/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"March 2018 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f","name":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f","refsource":"","tags":[],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"404","archivestatus":"200"},{"url":"https://www.openssl.org/news/secadv/20180327.txt","name":"https://www.openssl.org/news/secadv/20180327.txt","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"200"},{"url":"https://www.tenable.com/security/tns-2018-07","name":"https://www.tenable.com/security/tns-2018-07","refsource":"CONFIRM","tags":[],"title":"[R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","name":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","refsource":"CONFIRM","tags":[],"title":"Oracle Critical Patch Update - January 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","name":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update - July 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.tenable.com/security/tns-2018-06","name":"https://www.tenable.com/security/tns-2018-06","refsource":"CONFIRM","tags":[],"title":"[R1] Industrial Security 1.1.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1040576","name":"1040576","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"OpenSSL Bugs Let Users Deny Service and Bypass Authentication in Certain Cases - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","name":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","refsource":"CONFIRM","tags":[],"title":"CPU Oct 2018","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.tenable.com/security/tns-2018-04","name":"https://www.tenable.com/security/tns-2018-04","refsource":"CONFIRM","tags":[],"title":"[R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Later - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","name":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-0733","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-0733","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Peter Waltenberg (IBM)","lang":""}],"nvd_cpes":[{"cve_year":"2018","cve_id":"733","vulnerable":"1","versionEndIncluding":"1.1.0g","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssl","cpe5":"openssl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-0733","qid":"710214","title":"Gentoo Linux Open Secure Sockets Layer Multiple Vulnerabilities (GLSA 201811-21)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"openssl-security@openssl.org","DATE_PUBLIC":"2018-03-27","ID":"CVE-2018-0733","STATE":"PUBLIC","TITLE":"Incorrect CRYPTO_memcmp on HP-UX PA-RISC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"OpenSSL","version":{"version_data":[{"version_value":"Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g)"}]}}]},"vendor_name":"OpenSSL"}]}},"credit":[{"lang":"eng","value":"Peter Waltenberg (IBM)"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g)."}]},"impact":[{"lang":"eng","url":"https://www.openssl.org/policies/secpolicy.html#Moderate","value":"Moderate"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Message forgery"}]}]},"references":{"reference_data":[{"name":"https://www.tenable.com/security/tns-2018-07","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2018-07"},{"name":"https://www.tenable.com/security/tns-2018-04","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2018-04"},{"name":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"name":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","refsource":"CONFIRM","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"name":"GLSA-201811-21","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201811-21"},{"name":"103517","refsource":"BID","url":"http://www.securityfocus.com/bid/103517"},{"name":"https://www.tenable.com/security/tns-2018-06","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2018-06"},{"name":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"name":"https://security.netapp.com/advisory/ntap-20180330-0002/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20180330-0002/"},{"name":"1040576","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1040576"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f"},{"name":"https://www.openssl.org/news/secadv/20180327.txt","refsource":"CONFIRM","url":"https://www.openssl.org/news/secadv/20180327.txt"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","refsource":"MISC","name":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","refsource":"MISC","name":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"}]}},"nvd":{"publishedDate":"2018-03-27 21:29:00","lastModifiedDate":"2023-11-07 02:51:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.0","versionEndIncluding":"1.1.0g","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"733","Ordinal":"115662","Title":"CVE-2018-0733","CVE":"CVE-2018-0733","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"733","Ordinal":"1","NoteData":"Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).","Type":"Description","Title":null},{"CveYear":"2018","CveId":"733","Ordinal":"2","NoteData":"2018-03-27","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"733","Ordinal":"3","NoteData":"2019-07-23","Type":"Other","Title":"Modified"}]}}}