A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Affected configurations

NVD

Node

opensslopensslRange3.0.0–3.0.7

Node

fedoraprojectfedoraMatch36

fedoraprojectfedoraMatch37

Node

nodejsnode.jsRange18.0.0–18.11.0-

nodejsnode.jsMatch18.12.0lts

nodejsnode.jsMatch19.0.0-

References

git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a

www.openssl.org/news/secadv/20221101.txt

veracode 1

alpinelinux 1

cvelist 1

openssl 1

githubexploit 1

cnvd 1

osv 7

wolfi 1

debiancve 1

cve 1

rustsec 1

prion 1

cgr 1

github 1

redhatcve 1

checkpoint_advisories 2

msrc 4

f5 1

redhat 3

oraclelinux 3

gentoo 2

ibm 12

rocky 1

openvas 11

ics 4

fortinet 1

rapid7blog 4

nessus 26

fedora 2

mscve 2

nvidia 1

hivepro 1

photon 3

kaspersky 2

amd 1

akamaiblog 1

intel 1

talosblog 1

cisco 1

freebsd 1

ubuntucve 1

arista 1

almalinux 1

cisa 1

qualysblog 3

wizblog 1

suse 1

trellix 6

ubuntu 1

nodejsblog 1

aix 1

cert 1

thn 1

oracle 4

veracode

Buffer Overflow

2022-11-01 19:44:02

alpinelinux

CVE-2022-3786

2022-11-01 18:15:11

cvelist

CVE-2022-3786 X.509 Email Address Variable Length Buffer Overflow

2022-11-01 00:00:00

openssl

Vulnerability in OpenSSL CVE-2022-3786

2022-11-01 00:00:00

githubexploit

Exploit for Classic Buffer Overflow in Openssl

2022-12-13 16:43:01

cnvd

OpenSSL Denial of Service Vulnerability (CNVD-2022-73349)

2022-11-03 00:00:00

osv

BIT-node-2022-3786

2024-03-06 11:02:40

CVE-2022-3786

2022-11-01 18:15:11

X.509 Email Address Variable Length Buffer Overflow

2022-11-01 17:45:21

wolfi

CVE-2022-3786 vulnerabilities

2024-06-18 09:08:19

debiancve

CVE-2022-3786

2022-11-01 18:15:11

cve

CVE-2022-3786

2022-11-01 18:15:11

rustsec

X.509 Email Address Variable Length Buffer Overflow

2022-11-01 12:00:00

prion

Stack overflow

2022-11-01 18:15:00

cgr

CVE-2022-3786 vulnerabilities

2024-05-19 03:07:16

github

X.509 Email Address Variable Length Buffer Overflow

2022-11-01 17:45:21

redhatcve

CVE-2022-3786

2022-11-01 16:26:08

checkpoint_advisories

OpenSSL Buffer Overflow (CVE-2022-3786)

2022-11-03 00:00:00

OpenSSL Buffer Overflow (CVE-2022-3602; CVE-2022-3786)

2022-11-03 00:00:00

msrc

OpenSSL 3.0 ~ 3.0.6 のリスク (CVE-2022-3786 および CVE-2202-3602) に関する認識とガイダンス

2022-11-03 07:00:00

Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

2022-11-03 00:46:06

Awareness and guidance related to OpenSSL 3.0 - 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602)

2022-11-02 07:00:00

OpenSSL vulnerabilities CVE-2022-3786 and CVE-2022-3602

2022-10-28 17:31:00

redhat

(RHSA-2022:7288) Important: openssl security update

2022-11-01 18:25:07

(RHSA-2022:7384) Important: openssl-container security update

2022-11-02 18:29:10

(RHSA-2023:0786) Important: Network observability 1.1.0 security update

2023-02-15 11:39:53

oraclelinux

openssl security update

2022-11-01 00:00:00

openssl security update

2022-11-01 00:00:00

openssl security update

2022-11-17 00:00:00

gentoo

OpenSSL: Multiple Vulnerabilities

2022-11-01 00:00:00

Node.js: Multiple Vulnerabilities

2024-05-08 00:00:00

ibm

Security Bulletin: IBM MQ Advanced Message Security on IBM i platforms is affected by a buffer overflow issue in OpenSSL (CVE-2022-3602, CVE-2022-3786)

2022-11-04 12:45:04

Security Bulletin: IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities.

2023-03-07 09:44:53

Security Bulletin: OpenSSL vulnerabilities might impact IBM Cloud Application Business Insights - CVE-2022-3602 & CVE-2022-3786

2022-12-30 15:09:22

rocky

openssl security update

2022-11-01 18:25:07

openvas

Fedora: Security Advisory for openssl (FEDORA-2022-0f1d2e0537)

2022-11-03 00:00:00

OpenSSL: Multiple Vulnerabilities (Nov 2022) - Windows

2022-10-28 00:00:00

OpenSSL: Multiple Vulnerabilities (Nov 2022) - Linux

2022-10-28 00:00:00

ics

Hitachi Energy PCU400

2023-01-19 12:00:00

Siemens Products affected by OpenSSL 3.0

2022-12-15 12:00:00

Hitachi Energy Lumada Asset Performance Management

2023-01-05 12:00:00

fortinet

Protect

2022-10-28 00:00:00

rapid7blog

CVE-2022-3786 and CVE-2022-3602: Two High-Severity Buffer Overflow Vulnerabilities in OpenSSL Fixed

2022-11-01 16:38:53

Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602)

2022-11-11 13:41:22

Year in Review: Rapid7 Vulnerability Management

2023-01-09 17:00:00

nessus

Fedora 36 : 1:openssl (2022-502f096dce)

2022-11-01 00:00:00

Oracle Linux 9 : openssl (ELSA-2022-7288)

2022-11-02 00:00:00

AlmaLinux 9 : openssl (ALSA-2022:7288)

2022-11-02 00:00:00

fedora

[SECURITY] Fedora 37 Update: openssl-3.0.5-3.fc37

2022-11-02 02:01:31

[SECURITY] Fedora 36 Update: openssl-3.0.5-2.fc36

2022-11-02 01:50:12

mscve

OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun

2022-11-02 07:00:00

OpenSSL: CVE-2022-3602 X.509 certificate verification buffer overrun

2022-11-02 07:00:00

nvidia

Security Notice: NVIDIA Response to OpenSSL Vulnerabilities - November 2022

2022-11-01 00:00:00

hivepro

Patch available for pre-announced Critical Vulnerability in OpenSSL

2022-11-02 07:27:54

photon

Important Photon OS Security Update - PHSA-2022-0272

2022-11-02 00:00:00

Important Photon OS Security Update - PHSA-2022-4.0-0272

2022-11-02 00:00:00

Critical Photon OS Security Update - PHSA-2023-5.0-0011

2023-05-24 00:00:00

kaspersky

KLA20036 Multiple vulnerabilities in Microsoft Azure

2022-11-02 00:00:00

KLA20037 Multiple vulnerabilities in Microsoft Open Source Software

2022-11-02 00:00:00

amd

OpenSSL Vulnerabilities

2023-08-08 00:00:00

akamaiblog

An update on the impact of OpenSSL CVE-2022-3602 and CVE-2022-3786 on Akamai's systems

2022-11-07 10:00:00

intel

Intel® Software Products Advisory for OpenSSL Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) Advisory

2023-02-02 00:00:00

talosblog

Threat Advisory: High Severity OpenSSL Vulnerabilities

2022-11-01 19:03:49

cisco

Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022

2022-10-28 16:00:00

freebsd

OpenSSL -- Buffer overflows in Email verification

2022-11-01 00:00:00

ubuntucve

CVE-2022-3786

2022-11-01 00:00:00

arista

Security Advisory 0081

2022-11-01 00:00:00

almalinux

Important: openssl security update

2022-11-01 00:00:00

cisa

OpenSSL Releases Security Update

2022-11-01 00:00:00

qualysblog

Qualys Research Alert: OpenSSL 3.0.7 – What You Need To Know

2022-10-31 14:15:52

OpenSSL Vulnerability Recap

2022-11-03 17:00:00

November 2022 Patch Tuesday | Microsoft Releases 65 New Vulnerabilities with 10 Critical; Adobe Releases Zero Advisories (for the first time in six years).

2022-11-08 21:00:00

wizblog

OpenSSL vulnerabilities: Everything you need to know

2022-10-29 04:11:46

suse

Security update for openssl-3 (critical)

2022-11-01 00:00:00

trellix

CVE-2023-0286: The OpenSSL Who Cried “Severity: High

2023-02-09 00:00:00

OpenSSL 3.0 Vulnerabilities: CVE 2022-3786 and CVE 2022-3602

2022-11-01 00:00:00

CVE-2023-0286: The OpenSSL Who Cried “Severity: High

2023-02-09 00:00:00

ubuntu

OpenSSL vulnerabilities

2022-11-01 00:00:00

nodejsblog

Nov 3 2022 Security Releases

2022-11-01 00:00:00

aix

Multiple vulnerabilities in OpenSSL affect AIX

2023-01-24 09:22:21

cert

OpenSSL 3.0.0 to 3.0.6 decodes some punycode email addresses in X.509 certificates improperly

2022-11-01 00:00:00

thn

OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

2022-11-01 16:26:00

oracle

Oracle Critical Patch Update Advisory - January 2024

2024-01-16 00:00:00

Oracle Critical Patch Update Advisory - January 2023

2023-01-17 00:00:00

Oracle Critical Patch Update Advisory - July 2023

2023-07-18 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

47.3%

JSON

Related for NVD:CVE-2022-3786

veracode1 alpinelinux1 cvelist1 openssl1 githubexploit1 cnvd1 osv7 wolfi1 debiancve1 cve1 rustsec1 prion1 cgr1 github1 redhatcve1 checkpoint_advisories2 msrc4 f51 redhat3 oraclelinux3 gentoo2 ibm12 rocky1 openvas11 ics4 fortinet1 rapid7blog4 nessus26 fedora2 mscve2 nvidia1 hivepro1 photon3 kaspersky2 amd1 akamaiblog1 intel1 talosblog1 cisco1 freebsd1 ubuntucve1 arista1 almalinux1 cisa1 qualysblog3 wizblog1 suse1 trellix6 ubuntu1 nodejsblog1 aix1 cert1 thn1 oracle4