6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
6.2 Medium
AI Score
Confidence
Low
0.15 Low
EPSS
Percentile
95.8%
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
marc.info/?l=bugtraq&m=102866120821995&w=2
marc.info/?l=bugtraq&m=102918200405308&w=2
marc.info/?l=bugtraq&m=102976967730450&w=2
docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050
exchange.xforce.ibmcloud.com/vulnerabilities/9776
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1056
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1332
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2671