Lucene search

Veracode Vulnerability DatabaseVERACODE:37744

HistoryNov 01, 2022 - 7:44 p.m.

Buffer Overflow

2022-11-0119:44:02

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

34.7%

JSON

OpenSSL is vulnerable to buffer overflow. The vulnerability exists due to incomplete X.509 certificate name constraint checking after successful chain signature verification. An attacker can add a malicious email address to the certificate to overflow an arbitrary number of bytes on the stack with the . character. This crash can result in denial of service.

CPENameOperatorVersion
openssl3:3.16eq3.0.5-r1
openssl3:3.16eq3.0.3-r0
openssl3:3.16eq3.0.5-r0
openssl3:3.16eq3.0.2-r0
openssl:3.17eq3.0.5-r3
openssl:3.15le3.0.0-r2
openssl3le3.0.1__41.el8.1
openssl3:edgele3.0.5-r0
openssl3:latest-stablele3.0.5-r1
openssl3-develle3.0.1__41.el8.1

Name	Operator	Version
openssl3:3.16	eq	3.0.5-r1
openssl3:3.16	eq	3.0.3-r0
openssl3:3.16	eq	3.0.5-r0
openssl3:3.16	eq	3.0.2-r0
openssl:3.17	eq	3.0.5-r3
openssl:3.15	le	3.0.0-r2
openssl3	le	3.0.1__41.el8.1
openssl3:edge	le	3.0.5-r0
openssl3:latest-stable	le	3.0.5-r1
openssl3-devel	le	3.0.1__41.el8.1

Rows per page:

1-10 of 1391

References

packetstormsecurity.com/files/169687/OpenSSL-Security-Advisory-20221101.html

www.openwall.com/lists/oss-security/2022/11/01/15

www.openwall.com/lists/oss-security/2022/11/01/16

www.openwall.com/lists/oss-security/2022/11/01/17

www.openwall.com/lists/oss-security/2022/11/01/18

www.openwall.com/lists/oss-security/2022/11/01/19

www.openwall.com/lists/oss-security/2022/11/01/20

www.openwall.com/lists/oss-security/2022/11/01/21

www.openwall.com/lists/oss-security/2022/11/01/24

www.openwall.com/lists/oss-security/2022/11/02/1

www.openwall.com/lists/oss-security/2022/11/02/10

www.openwall.com/lists/oss-security/2022/11/02/11

www.openwall.com/lists/oss-security/2022/11/02/12

www.openwall.com/lists/oss-security/2022/11/02/13

www.openwall.com/lists/oss-security/2022/11/02/14

www.openwall.com/lists/oss-security/2022/11/02/15

www.openwall.com/lists/oss-security/2022/11/02/2

www.openwall.com/lists/oss-security/2022/11/02/3

www.openwall.com/lists/oss-security/2022/11/02/5

www.openwall.com/lists/oss-security/2022/11/02/6

www.openwall.com/lists/oss-security/2022/11/02/7

www.openwall.com/lists/oss-security/2022/11/02/9

www.openwall.com/lists/oss-security/2022/11/03/1

www.openwall.com/lists/oss-security/2022/11/03/10

www.openwall.com/lists/oss-security/2022/11/03/11

www.openwall.com/lists/oss-security/2022/11/03/2

www.openwall.com/lists/oss-security/2022/11/03/3

www.openwall.com/lists/oss-security/2022/11/03/5

www.openwall.com/lists/oss-security/2022/11/03/6

www.openwall.com/lists/oss-security/2022/11/03/7

www.openwall.com/lists/oss-security/2022/11/03/9

git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=c42165b5706e42f67ef8ef4c351a9a4c5d21639a

git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a

github.com/pblumo/openssl-vuln-nov-2022/blob/main/list.csv

isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/

lists.fedoraproject.org/archives/list/[email protected]/message/63YRPWPUSX3MBHNPIEJZDKQT6YA7UF6S/

lists.fedoraproject.org/archives/list/[email protected]/message/DWP23EZYOBDJQP7HP4YU7W2ABU2YDITS/

mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0023

security.gentoo.org/glsa/202211-01

security.netapp.com/advisory/ntap-20221102-0001/

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

www.akamai.com/blog/security-research/openssl-vulnerability-how-to-effectively-prepare

www.kb.cert.org/vuls/id/794340

www.openssl.org/blog/blog/2022/11/01/email-address-overflows/

www.openssl.org/news/secadv/20221101.txt

www.paloaltonetworks.com/blog/prisma-cloud/prepare-openssl-vulnerability/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

34.7%

JSON

Buffer Overflow

References

Related