CVE-2017-8301 — Improper Certificate Validation in Libressl

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 56.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openbsd Libressl

Timeline

PublishedApr 27

Latest updateMay 13

Description

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶Alpineopenbsd/libressl< 2.5.3-r1+7

▶NVDopenbsd/libressl2.5.1, 2.5.2, 2.5.3+2

Patches

Patch: github.com ↗Patch: trac.nginx.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-phvv-c9gw-v54h: LibreSSL 2↗2022-05-13

▶

OSV

CVE-2017-8301: LibreSSL 2↗2017-04-27

▶