NULL dereference validating DSA public key
CVE-2023-0217

7.5HIGH

Key Information:

Vendor: OpenSSL
Status: OpenSSL
Vendor: CVE Published:; 8 February 2023

What is CVE-2023-0217?

An invalid pointer dereference can occur when the EVP_PKEY_public_check() function processes a malformed DSA public key. Should an application utilize this function with public keys from untrusted sources, it may lead to application crashes or denial of service. While the TLS implementation in OpenSSL does not invoke this function, applications meeting stringent security standards, such as FIPS 140-3, might engage the function, exposing them to potential disruptions.

Affected Version(s)

OpenSSL 3.0.0 < 3.0.8

References

https://www.openssl.org/news/secadv/20230207.txt

vendor-advisory

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdif...

patch

https://security.gentoo.org/glsa/202402-08

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 8, 2023
Vulnerability Reserved
Jan 11, 2023

Credit

Kurt Roeckx

Shane Lontis from Oracle