CVE-2009-3245 — Improper Input Validation in Openssl

CWE-20 — Improper Input Validation CWE-252 — Unchecked Return Value CWE-476 — NULL Pointer Dereference7 documents7 sources

Severity

10.0CRITICALNVD

EPSS

19.9%

top 4.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedMar 5

Latest updateMay 2

Description

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/openssl< openssl 0.9.8m-1 (bookworm)

▶Debianopenssl/openssl< 0.9.8m-1+3

▶NVDopenssl/openssl0.9.8l+12

Patches

Patch: marc.info ↗Patch: marc.info ↗Patch: marc.info ↗

🔴Vulnerability Details

GHSA

GHSA-c5qh-p8w9-vjq7: OpenSSL before 0↗2022-05-02

▶

OSV

CVE-2009-3245: OpenSSL before 0↗2010-03-05

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2010-10-07

▶

Red Hat

openssl: missing bn_wexpand return value checks↗2010-02-23

▶

Debian

CVE-2009-3245: openssl - OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand fun...↗2009

▶

💬Community

Bugzilla

CVE-2009-3245 openssl: missing bn_wexpand return value checks↗2010-03-05

▶