OpenSSL alternate chains certificate forgery vulnerability (CVE-2015-1793) disclosed by the OpenSSL Project on July 9 2015. IBM SDK for Node.js has addressed this CVE.
CVEID: CVE-2015-1793**
DESCRIPTION:** OpenSSL could allow a remote attacker to bypass security restrictions, caused by an implementation error of the alternative certificate chain logic. An attacker could exploit this vulnerability to bypass the CA flag and other specific checks on untrusted certificates and issue an invalid certificate.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104500> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
This vulnerability affects IBM SDK for Node.js v1.2.0.3 and v1.2.0.4.
This vulnerability affects IBM SDK for Node.js v1.1.0.15.
The fix for this vulnerability is included in IBM SDK for Node.js v1.2.0.5 and subsequent releases.
The fix for this vulnerability is included in IBM SDK for Node.js v1.1.0.16 and subsequent releases.
Note: A fix for CVE-2014-8176 was provided in OpenSSL versions 0.9.8za, 1.0.0m, and 1.0.1h. The original bulletin for this OpenSSL release is here.
IBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from here.
IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.
CPE | Name | Operator | Version |
---|---|---|---|
ibm sdk for node.js | eq | 1.1 | |
ibm sdk for node.js | eq | 1.2 |