7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
55.4%
The OpenSSL project reports:
Invalid handling of X509_verify_cert() internal errors in libssl
(Moderate)
Internally libssl in OpenSSL calls X509_verify_cert() on the client
side to verify a certificate supplied by a server. That function may
return a negative return value to indicate an internal error (for
example out of memory). Such a negative return value is mishandled by
OpenSSL and will cause an IO function (such as SSL_connect() or
SSL_do_handshake()) to not indicate success and a subsequent call to
SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY.
This return value is only supposed to be returned by OpenSSL if the
application has previously called SSL_CTX_set_cert_verify_callback().
Since most applications do not do this the
SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be
totally unexpected and applications may not behave correctly as a
result. The exact behaviour will depend on the application but it
could result in crashes, infinite loops or other similar incorrect
responses.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | openssl-devel | < 3.0.1 | UNKNOWN |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
55.4%