CVE-2009-0127Improper Authentication in M2crypto

CWE-287Improper Authentication7 documents6 sources
Severity
5.0MEDIUMNVD
OSV5.8
EPSS
0.1%
top 76.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Debian M2crypto
Timeline
PublishedJan 15
Latest updateMay 2

Description

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-933f-4fwg-646j: ** DISPUTED ** M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_2022-05-02
OSV
CVE-2009-0127: M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify funct2009-01-15

📋Vendor Advisories

2
Red Hat
m2crypto: OpenSSL incorrect checks for malformed signatures2009-01-11
Debian
CVE-2009-0127: m2crypto - M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFin...2009

💬Community

2
Bugzilla
CVE-2012-4452 mysql: regression of CVE-2009-40302012-09-26
Bugzilla
CVE-2009-0127 m2crypto: OpenSSL incorrect checks for malformed signatures2009-01-12