OpenSSL X.509 Certification Authority Spoofing Vulnerability
CVE-2015-1793

6.5MEDIUM

Key Information:

Vendor
Oracle
Status
Supply Chain Products Suite
Vendor
CVE Published:
9 July 2015

Summary

The vulnerability in the X509_verify_cert function of OpenSSL versions 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c allows an attacker to manipulate the handling of X.509 Basic Constraints, which can lead to successful certification authority spoofing. This flaw could enable attackers to present a valid leaf certificate while causing unintended verifications, potentially undermining the integrity of secure communications and processes reliant on certificate validation.

References

http://marc.info/?l=bugtraq&m=143880121627664&w=2
vendor-advisoryx_refsource_HP
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/do...
x_refsource_CONFIRM
http://www.securitytracker.com/id/1032817
vdb-entryx_refsource_SECTRACK

EPSS Score

87% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.