CVE-2009-0127
Published Jan 15, 2009
Last updated 3 months ago
Overview
- Description
- M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
- Source
- cve@mitre.org
- NVD status
- Modified
- CNA Tags
- disputed
Social media
- Hype score
- Not currently trending
Risk scores
CVSS 2.0
- Type
- Primary
- Base score
- 5
- Impact score
- 2.9
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:N/A:N
Weaknesses
- nvd@nist.gov
- CWE-287
Vendor comments
- Red HatRed Hat does not consider this to be a security issue. M2Crypto provides python interfaces to multiple OpenSSL functions. Neither of those interfaces is further used by M2Crypto in an insecure way. Additionally, no application shipped in Red Hat Enterprise Linux is known to use affected interfaces provided by M2Crypto. Further details can be found in the following bug report: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0127#c1
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:heikkitoivonen:m2crypto:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "0FDB41E1-9DB5-4F02-AAA3-8CB475EE073F"
}
],
"operator": "OR"
}
]
}
]