AZL-25937

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-25937.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-25937

Upstream

CVE-2023-0465

Published

2023-03-28T15:15:06Z

Modified

2026-04-01T05:08:09.563261Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CVE-2023-0465 affecting package openssl for versions less than 1.1.1k-23

Details

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling theX509VERIFYPARAMset1policies()' function.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-0465

Affected packages

Azure Linux:2 / openssl

Package

Name: openssl
Purl: pkg:rpm/azure-linux/openssl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.1k-23

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-25937.json"