CVE-2022-1343
MEDIUM5.3EPSS 0.19%`OCSP_basic_verify` may incorrectly verify the response signing certificate
Published: 5/4/2022Modified: 11/8/2023
Description
The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0.
Affected packages (4)
- Alpine/opensslfrom 0, < 3.0.3-r0
- Alpine/openssl3from 0, < 3.0.3-r0
- crates.io/openssl-src>= 300.0.0, < 300.0.6
- crates.io/openssl-src>= 300.0.0, < 300.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-1343
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-1343
- PATCHhttps://crates.io/crates/openssl-src
- WEBhttps://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- WEBhttps://github.com/github/advisory-database/issues/405
- WEBhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2eda98790c5c2741d76d23cc1e74b0dc4f4b391a
- WEBhttps://rustsec.org/advisories/RUSTSEC-2022-0027.html
- WEBhttps://security.netapp.com/advisory/ntap-20220602-0009
- WEBhttps://www.openssl.org/news/secadv/20220503.txt