Authentication Bypass in LibreSSL and OpenBSD Products
CVE-2021-46880

9.8CRITICAL

Key Information:

Vendor: OpenBSD
Status: OpenBSD; Libressl
Vendor: CVE Published:; 15 April 2023

Summary

An authentication bypass vulnerability exists in LibreSSL and OpenBSD products due to an issue in the x509_verify.c component. This flaw arises because errors related to unverified certificate chains are occasionally ignored, enabling attackers to bypass authentication mechanisms. Users of impacted versions should apply necessary patches to mitigate potential security risks.

References

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4...

https://github.com/openbsd/src/commit/3f851282810fa0ab4b9...

https://ftp.openbsd.org/pub/OpenBSD/patches/7.0/common/00...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 15, 2023
Vulnerability Reserved
Apr 14, 2023