CVE-2009-0591 — Improper Authentication in Openssl

CWE-287 — Improper Authentication6 documents6 sources

Severity

2.6LOWNVD

EPSS

2.4%

top 14.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedMar 27

Latest updateDec 29

Description

The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/openssl

▶NVDopenssl/openssl0.9.8h, 0.9.8i, 0.9.8j+2

🔴Vulnerability Details

GHSA

GHSA-xfgm-r927-x577: The CMS_verify function in OpenSSL 0↗2022-05-03

▶

📋Vendor Advisories

Red Hat

openssl: incorrect error checking during CMS verification↗2009-03-25

▶

Debian

CVE-2009-0591: openssl - The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, d...↗2009

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2009-0591 openssl: incorrect error checking during CMS verification↗2009-03-27

▶