Invalid pointer dereference in d2i_PKCS7 functions
CVE-2023-0216

7.5HIGH

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 8 February 2023

What is CVE-2023-0216?

An invalid pointer dereference occurs when applications attempt to process malformed PKCS7 data using functions such as d2i_PKCS7(), d2i_PKCS7_bio(), or d2i_PKCS7_fp(). This flaw can lead to application crashes, effectively resulting in a denial of service. While the TLS implementation in OpenSSL itself does not invoke these functions, third-party applications that handle untrusted data might be at risk.

Affected Version(s)

OpenSSL 3.0.0 < 3.0.8

References

https://www.openssl.org/news/secadv/20230207.txt

vendor-advisory

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...

patch

https://security.gentoo.org/glsa/202402-08

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Jan 11, 2023

Credit

Marc Schönefeld

Tomáš Mráz