4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.093 Low
EPSS
Percentile
94.6%
Problem Description
When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any
bytes which follow the cryptographic hash being signed. In
a valid signature there will be no such bytes.
Impact
OpenSSL will incorrectly report some invalid signatures as
valid. When an RSA public exponent of 3 is used, or more
generally when a small public exponent is used with a
relatively large modulus (e.g., a public exponent of 17 with
a 4096-bit modulus), an attacker can construct a signature
which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
Workaround
No workaround is available.