PT-2023-3200 · Openssl+9 · Openssl+9
David Benjamin
+1
·
Published
2023-03-28
·
Updated
2026-04-27
·
CVE-2023-0465
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSL (affected versions not specified)
Description
The issue is related to the handling of invalid certificate policies in leaf certificates by OpenSSL. When a non-default option is used for verifying certificates, applications may be vulnerable to an attack from a malicious Certificate Authority (CA) that could circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored, and other certificate policy checks are skipped for that certificate. A malicious CA could deliberately assert invalid certificate policies to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the
-policy argument to the command line utilities or by calling the X509 VERIFY PARAM set1 policies() function.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Ibm Aix
Linuxmint
Openssl
Red Hat
Red Os
Suse
Ubuntu