Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2019-1559 is a medium severity vulnerability with a CVSS score of 5.9. No known exploits currently, and patches are available.
Moderate probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
| Vendor | Product |
|---|---|
| F5 | Big IP Webaccelerator |
| Netapp | C190 |
| Fedoraproject | Fedora |
| Netapp | Oncommand Workflow Automation |
| F5 | Big IP Domain Name System |
| Netapp | Active Iq Unified Manager |
| Netapp | C190 Firmware |
| Oracle | Enterprise Manager Ops Center |
| Node.js | Node.js |
| Mcafee | Web Gateway |
And 80 more...
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.