Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTg0cm0tcWYzNy1mZ2My

Moderate EPSS: 0.00665% (0.70605 Percentile) EPSS:
Permalink JSON

Integer Overflow in openssl-src

Affected Packages Affected Versions Fixed Versions
cargo:openssl-src
PURL: pkg:cargo/openssl-src
< 111.14.0 111.14.0
13 Dependent packages
3,600 Dependent repositories
52,298,091 Downloads total

Affected Version Ranges

All affected versions

110.0.0+1.1.0f, 110.0.1+1.1.0f, 110.0.2+1.1.0h, 110.0.3+1.1.0h, 110.0.4+1.1.0h, 110.0.5+1.1.0h, 110.0.6+1.1.0h, 110.0.7+1.1.0i, 111.0.0+1.1.1, 111.0.1+1.1.1, 111.1.0+1.1.1a, 111.1.1+1.1.1a, 111.2.1+1.1.1b, 111.3.0+1.1.1c, 111.4.0+1.1.1c, 111.5.0+1.1.1c, 111.6.0+1.1.1d, 111.6.1+1.1.1d, 111.7.0+1.1.1e, 111.8.0+1.1.1f, 111.8.1+1.1.1f, 111.9.0+1.1.1g, 111.10.0+1.1.1g, 111.10.1+1.1.1g, 111.10.2+1.1.1g, 111.11.0+1.1.1h, 111.12.0+1.1.1h, 111.13.0+1.1.1i

All unaffected versions

111.14.0+1.1.1j, 111.15.0+1.1.1k, 111.16.0+1.1.1l, 111.17.0+1.1.1m, 111.18.0+1.1.1n, 111.19.0+1.1.1o, 111.20.0+1.1.1o, 111.21.0+1.1.1p, 111.22.0+1.1.1q, 111.23.0+1.1.1r, 111.24.0+1.1.1s, 111.25.0+1.1.1t, 111.25.1+1.1.1t, 111.25.2+1.1.1t, 111.25.3+1.1.1t, 111.26.0+1.1.1u, 111.27.0+1.1.1v, 111.28.0+1.1.1w, 111.28.1+1.1.1w, 111.28.2+1.1.1w, 300.0.0+3.0.0, 300.0.1+3.0.0, 300.0.2+3.0.0, 300.0.3+3.0.0, 300.0.4+3.0.1, 300.0.5+3.0.2, 300.0.6+3.0.3, 300.0.7+3.0.3, 300.0.8+3.0.4, 300.0.9+3.0.5, 300.0.10+3.0.6, 300.0.11+3.0.7, 300.0.12+3.0.8, 300.0.13+3.0.8, 300.1.0+3.1.0, 300.1.1+3.1.0, 300.1.2+3.1.1, 300.1.3+3.1.2, 300.1.4+3.1.2, 300.1.5+3.1.3, 300.1.6+3.1.4, 300.2.0+3.2.0, 300.2.1+3.2.0, 300.2.2+3.2.1, 300.2.3+3.2.1, 300.3.0+3.3.0, 300.3.1+3.3.1, 300.3.2+3.3.2, 300.4.0+3.4.0, 300.4.1+3.4.0, 300.4.2+3.4.1, 300.5.0+3.5.0, 300.5.1+3.5.1, 300.5.2+3.5.2, 300.5.3+3.5.4, 300.5.4+3.5.4

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

References:

Identifiers

GHSA-84rm-qf37-fgc2

CVE-2021-23841

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00665

EPSS Percentile: 0.70605

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

about 4 years ago

Updated

over 2 years ago

API

JSON