AZL-34663

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34663.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-34663

Upstream

CVE-2023-0465

Published

2023-03-28T15:15:06Z

Modified

2026-04-01T05:12:38.463185Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

CVE-2023-0465 affecting package edk2 for versions less than 20230301gitf80f052277c8-37

Details

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling theX509VERIFYPARAMset1policies()' function.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-0465

Affected packages

Azure Linux:3 / edk2

Package

Name: edk2
Purl: pkg:rpm/azure-linux/edk2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20230301gitf80f052277c8-37

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34663.json"