Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yOXh4LWhjdjItYzRjcM4AAxfr

openssl-src subject to Invalid pointer dereference in `d2i_PKCS7` functions

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.

Permalink: https://github.com/advisories/GHSA-29xx-hcv2-c4cp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yOXh4LWhjdjItYzRjcM4AAxfr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 2 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-29xx-hcv2-c4cp, CVE-2023-0216
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-0216
• https://rustsec.org/advisories/RUSTSEC-2023-0011.html
• https://www.openssl.org/news/secadv/20230207.txt
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
• https://security.gentoo.org/glsa/202402-08
• https://github.com/advisories/GHSA-29xx-hcv2-c4cp

Blast Radius: 26.7

Affected Packages