CVE-2004-0063

Name of the Vulnerable Software and Affected Versions ncipher payShield SPP library versions 1.3.12, 1.5.18, 1.6.18

Description The issue concerns the SPP VerifyPVV function in the nCipher payShield SPP library, which may return a Status OK value even when the HSM returns a different status code. This could lead to applications making incorrect security-critical decisions, such as accepting an invalid PIN number.

Recommendations For version 1.3.12, consider disabling the SPP VerifyPVV function until a patch is available. For version 1.5.18, restrict the use of the SPP VerifyPVV function to minimize the risk of exploitation. For version 1.6.18, avoid relying on the Status OK value returned by the SPP VerifyPVV function for security-critical decisions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.