{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2023-0464","assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","state":"PUBLISHED","assignerShortName":"openssl","dateReserved":"2023-01-24T13:50:25.835Z","datePublished":"2023-03-22T16:36:47.383Z","dateUpdated":"2025-05-05T16:08:48.783Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"OpenSSL","vendor":"OpenSSL","versions":[{"lessThan":"3.1.1","status":"affected","version":"3.1.0","versionType":"semver"},{"lessThan":"3.0.9","status":"affected","version":"3.0.0","versionType":"semver"},{"lessThan":"1.1.1u","status":"affected","version":"1.1.1","versionType":"custom"},{"lessThan":"1.0.2zh","status":"affected","version":"1.0.2","versionType":"custom"}]}],"credits":[{"lang":"en","type":"reporter","user":"00000000-0000-4000-9000-000000000000","value":"David Benjamin (Google)"},{"lang":"en","type":"remediation developer","user":"00000000-0000-4000-9000-000000000000","value":"Dr Paul Dale"}],"datePublic":"2023-03-21T00:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A security vulnerability has been identified in all supported versions<br><br>of OpenSSL related to the verification of X.509 certificate chains<br>that include policy constraints.  Attackers may be able to exploit this<br>vulnerability by creating a malicious certificate chain that triggers<br>exponential use of computational resources, leading to a denial-of-service<br>(DoS) attack on affected systems.<br><br>Policy processing is disabled by default but can be enabled by passing<br>the `-policy' argument to the command line utilities or by calling the<br>`X509_VERIFY_PARAM_set1_policies()' function."}],"value":"A security vulnerability has been identified in all supported versions\n\nof OpenSSL related to the verification of X.509 certificate chains\nthat include policy constraints.  Attackers may be able to exploit this\nvulnerability by creating a malicious certificate chain that triggers\nexponential use of computational resources, leading to a denial-of-service\n(DoS) attack on affected systems.\n\nPolicy processing is disabled by default but can be enabled by passing\nthe `-policy' argument to the command line utilities or by calling the\n`X509_VERIFY_PARAM_set1_policies()' function."}],"metrics":[{"format":"other","other":{"content":{"text":"Low"},"type":"https://www.openssl.org/policies/secpolicy.html"}}],"problemTypes":[{"descriptions":[{"description":"inefficient algorithmic complexity","lang":"en"}]}],"providerMetadata":{"orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl","dateUpdated":"2024-06-21T19:07:07.428Z"},"references":[{"name":"OpenSSL Advisory","tags":["vendor-advisory"],"url":"https://www.openssl.org/news/secadv/20230322.txt"},{"name":"3.1.1 git commit","tags":["patch"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"},{"name":"3.0.9 git commit","tags":["patch"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"},{"name":"1.1.1u git commit","tags":["patch"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"},{"name":"1.0.2zh patch (premium)","tags":["patch"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"},{"url":"https://www.couchbase.com/alerts/"},{"url":"https://www.debian.org/security/2023/dsa-5417"},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html"},{"url":"https://security.gentoo.org/glsa/202402-08"},{"url":"https://security.netapp.com/advisory/ntap-20240621-0006/"}],"source":{"discovery":"UNKNOWN"},"title":"Excessive Resource Usage Verifying X.509 Policy Constraints","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://security.netapp.com/advisory/ntap-20230406-0006/"},{"name":"OpenSSL Advisory","tags":["vendor-advisory","x_transferred"],"url":"https://www.openssl.org/news/secadv/20230322.txt"},{"name":"3.1.1 git commit","tags":["patch","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545"},{"name":"3.0.9 git commit","tags":["patch","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1"},{"name":"1.1.1u git commit","tags":["patch","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b"},{"name":"1.0.2zh patch (premium)","tags":["patch","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2dcd4f1e3115f38cefa43e3efbe9b801c27e642e"},{"url":"https://www.couchbase.com/alerts/","tags":["x_transferred"]},{"url":"https://www.debian.org/security/2023/dsa-5417","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html","tags":["x_transferred"]},{"url":"https://security.gentoo.org/glsa/202402-08","tags":["x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20240621-0006/","tags":["x_transferred"]}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T05:10:56.350Z"}},{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-295","lang":"en","description":"CWE-295 Improper Certificate Validation"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.5,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2025-04-23T13:26:32.875761Z","id":"CVE-2023-0464","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-05T16:08:48.783Z"}}]},"dataVersion":"5.1"}