CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
61.1%
Issue summary: Processing a maliciously formatted PKCS12 file may lead
OpenSSL to crash leading to a potential Denial of Service attack Impact
summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly. A file in PKCS12 format can contain
certificates and keys and may come from an untrusted source. The PKCS12
specification allows certain fields to be NULL, but OpenSSL does not
correctly check for this case. This can lead to a NULL pointer dereference
that results in OpenSSL crashing. If an application processes PKCS12 files
from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are:
PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(),
PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a
similar issue in SMIME_write_PKCS7(). However since this function is
related to writing data we do not consider it security significant. The
FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Author | Note |
---|---|
Priority reason: Upstream OpenSSL developers have rated this to be a low severity issue |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | edk2 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 22.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 16.04 | noarch | nodejs | < any | UNKNOWN |
ubuntu | 18.04 | noarch | openssl | < 1.1.1-1ubuntu2.1~18.04.23+esm4 | UNKNOWN |
ubuntu | 20.04 | noarch | openssl | < 1.1.1f-1ubuntu2.21 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2024-0727
nvd.nist.gov/vuln/detail/CVE-2024-0727
security-tracker.debian.org/tracker/CVE-2024-0727
ubuntu.com/security/notices/USN-6622-1
ubuntu.com/security/notices/USN-6632-1
ubuntu.com/security/notices/USN-6709-1
www.cve.org/CVERecord?id=CVE-2024-0727
www.openssl.org/news/secadv/20240125.txt
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
EPSS
Percentile
61.1%