CVE-2009-0124Improper Following of a Certificate's Chain of Trust in Tqsllib

CWE-296Improper Following of a Certificate's Chain of TrustCWE-287Improper Authentication5 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
0.1%
top 82.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Arrl Tqsllib
Timeline
PublishedJan 15
Latest updateMay 2

Description

The tqsl_verifyDataBlock function in openssl_cert.cpp in American Radio Relay League (ARRL) tqsllib 2.0 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDarrl/tqsllib2.0

🔴Vulnerability Details

1
GHSA
GHSA-2q3r-gf9c-fhv3: The tqsl_verifyDataBlock function in openssl_cert2022-05-02

📋Vendor Advisories

1
Red Hat
tqsllib: OpenSSL incorrect checks for malformed signatures2009-01-11

📐Framework References

1
CWE
Improper Following of a Certificate's Chain of Trust

💬Community

1
Bugzilla
CVE-2009-0124 tqsllib: OpenSSL incorrect checks for malformed signatures2009-01-12