5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.007 Low
EPSS
Percentile
81.0%
DISPUTED M2Crypto does not properly check the return value from the
OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and
ECDSA_do_verify functions, which might allow remote attackers to bypass
validation of the certificate chain via a malformed SSL/TLS signature, a
similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the
relevance of this report to the M2Crypto product because βthese functions
are not used anywhere in m2crypto.β
Author | Note |
---|---|
mdeslaur | may not be an issue, see redhat bug debian: βm2crypto provides a direct mapping of the OpenSSL functions, no incorrect call sites are known, if such are found they should be fixed in the respectiveβ marking this as ignored |