CVSS Base Vector:
Remote Banner Unreliable
OpenSSL on Windows is prone to an insecure path defaults vulnerability.
OpenSSL has internal defaults for a directory tree where it can find a
configuration file as well as certificates used for verification in TLS. This directory is most commonly referred
to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options.
For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and
libraries are installed in a Unix-like environment and the default prefix for program installation as well as for
OPENSSLDIR should be '/usr/local'.
However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of
'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default
configuration, insert CA certificates, modify (or even replace) existing engine modules, etc.
For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including
Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to
specify your own --prefix.
OpenSSL versions 1.0.2 through 1.0.2s, 1.1.0 through 1.1.0k and 1.1.1 through 1.1.1c on Windows.
Apply the provided patches or update to a newer version.
Find and Fix this Vulnerability:
Mageni can help you to find out if you have this or more vulnerabilities exposing you to hackers, ransomware and malware: Download Mageni's Free Edition
NVD CVE ID: