CVE-2009-0127
Severity CVSS v4.0:
Pending analysis
Type:
CWE-287
Authentication Issues
Publication date:
15/01/2009
Last modified:
09/04/2025
Description
M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515
- http://openwall.com/lists/oss-security/2009/01/12/4
- https://bugzilla.redhat.com/show_bug.cgi?id=479676
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515
- http://openwall.com/lists/oss-security/2009/01/12/4
- https://bugzilla.redhat.com/show_bug.cgi?id=479676