CVE-2023-0466
Severity CVSS v4.0:
Pending analysis
Type:
CWE-295
Improper Certificate Validation
Publication date:
28/03/2023
Last modified:
19/02/2025
Description
The function X509_VERIFY_PARAM_add0_policy() is documented to<br />
implicitly enable the certificate policy check when doing certificate<br />
verification. However the implementation of the function does not<br />
enable the check which allows certificates with invalid or incorrect<br />
policies to pass the certificate verification.<br />
<br />
As suddenly enabling the policy check could break existing deployments it was<br />
decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy()<br />
function.<br />
<br />
Instead the applications that require OpenSSL to perform certificate<br />
policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly<br />
enable the policy check by calling X509_VERIFY_PARAM_set_flags() with<br />
the X509_V_FLAG_POLICY_CHECK flag argument.<br />
<br />
Certificate policy checks are disabled by default in OpenSSL and are not<br />
commonly used by applications.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.0.2 (including) | 1.0.2zh (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.1.1 (including) | 1.1.1u (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.9 (excluding) |
| cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 3.1.0 (including) | 3.1.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2023/09/28/4
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D51e8a84ce742db0f6c70510d0159dad8f7825908
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D73398dea26de9899fb4baa94098ad0a61f435c72
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3Dfc814a30fc4f0bc54fcea7d9a7462f5457aab061
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- https://security.gentoo.org/glsa/202402-08
- https://security.netapp.com/advisory/ntap-20230414-0001/
- https://www.debian.org/security/2023/dsa-5417
- https://www.openssl.org/news/secadv/20230328.txt
- http://www.openwall.com/lists/oss-security/2023/09/28/4
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D51e8a84ce742db0f6c70510d0159dad8f7825908
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3D73398dea26de9899fb4baa94098ad0a61f435c72
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommitdiff%3Bh%3Dfc814a30fc4f0bc54fcea7d9a7462f5457aab061
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- https://security.gentoo.org/glsa/202402-08
- https://security.netapp.com/advisory/ntap-20230414-0001/
- https://www.debian.org/security/2023/dsa-5417
- https://www.openssl.org/news/secadv/20230328.txt