CVE-2002-0862
published 2002-10-04CVE-2002-0862: The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including…
PriorityP427medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
18.68%
96.9th percentile
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_nt | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
CWE
Improper Following of a Certificate's Chain of Trust
mitre_cwe
CWE-296 Improper Following of a Certificate's Chain of Trust
CWE-296: Improper Following of a Certificate's Chain of Trust
The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate.
If a system does not follow the chain of trust of a certificate to a root server, the certificate loses all usefulness as a metric of trust. Essentially, the trust gained from a certificate is derived from a chain of trust -- with a reputable trusted entity at the end of that list. The end user must trust that reputable source, and this reputable source must vouch for the resource in question through the medium of the certificate. In some cases, this trust traverses several entities who vouch for one another. The enti
CWE
Improperly Implemented Security Check for Standard
mitre_cwe·CVSS 6.8
[MEDIUM] CWE-358 Improperly Implemented Security Check for Standard
CWE-358: Improperly Implemented Security Check for Standard
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: This is an implementation error, in which the algorithm/technique requires certain security-related behaviors or conditions that are not implemented or checked properly, thus causing a vulnerability.
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism.
Observed Examples:
CVE-2002-0862: Browser does not verify Basic Constraints of a certificate, even though it is required, allowing spoofing of trusted certificates.
CVE-2002-0970: Browser does not ve
CWE
Improper Certificate Validation
mitre_cwe
CWE-295 Improper Certificate Validation
CWE-295: Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.
Background: A certificate is a token that associates an identity (principal) to a cryptographic key. Certificates can be used to check if a public key belongs to the assumed owner.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Implementation
Note: When the product uses certificate pinning, the developer might not properly validate all relevant components of the certificate before pinning the certificate. This can make it difficult or expensive to test after the pinning is complete.
Common Consequences:
Scope: Integrity, Authentication. Im
http://marc.info/?l=bugtraq&m=102866120821995&w=2http://marc.info/?l=bugtraq&m=102918200405308&w=2http://marc.info/?l=bugtraq&m=102976967730450&w=2https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050https://exchange.xforce.ibmcloud.com/vulnerabilities/9776https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1056https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1332https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2671http://marc.info/?l=bugtraq&m=102866120821995&w=2http://marc.info/?l=bugtraq&m=102918200405308&w=2http://marc.info/?l=bugtraq&m=102976967730450&w=2https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/ms02-050https://exchange.xforce.ibmcloud.com/vulnerabilities/9776https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1056https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1332https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2671
2002-10-04
Published