CVE-2022-3786

CWE-120 — Classic Buffer Overflow CWE-119 — Buffer Overflow CWE-121 — Stack-based Buffer Overflow CWE-19324 documents15 sources

Severity

7.5HIGH

EPSS

20.6%

top 4.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Openssl Nodejs Node.js Fedoraproject Fedora

Timeline

PublishedNov 1

Latest updateNov 8

Description

A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.' character (deci…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶crates.ioopenssl-src300.0.0 — 300.0.11

▶NVDnodejs/node.js18.0.0 — 18.11.0+2

▶CVEListV5openssl/openssl3.0.0 — 3.0.7

▶NVDopenssl/openssl3.0.0 — 3.0.7

▶Debianopenssl< 3.0.7-1+2

Also affects: Fedora 36, 37

Patches

Patch: git.openssl.org ↗Patch: git.openssl.org ↗

🔴Vulnerability Details

GHSA

X.509 Email Address Variable Length Buffer Overflow↗2022-11-01

▶

OSV

X.509 Email Address Variable Length Buffer Overflow↗2022-11-01

▶

CVEList

X.509 Email Address Variable Length Buffer Overflow↗2022-11-01

▶

OSV

CVE-2022-3786: A buffer overrun can be triggered in X↗2022-11-01

▶

OSV

openssl vulnerabilities↗2022-11-01

▶

📋Vendor Advisories

Microsoft

OpenSSL: CVE-2022-3786 X.509 certificate verification buffer overrun↗2022-11-08

▶

Red Hat

OpenSSL: X.509 Email Address Variable Length Buffer Overflow↗2022-11-01

▶

Ubuntu

OpenSSL vulnerabilities↗2022-11-01

▶

Cisco

Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022↗2022-10-28

▶

Debian

CVE-2022-3786: openssl - A buffer overrun can be triggered in X.509 certificate verification, specificall...↗2022

▶

🕵️Threat Intelligence

Unit42

Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows↗2022-11-03

▶

Unit42

Threat Brief: CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Buffer Overflows↗2022-11-03

▶

Sentinelone

Everything You Need To Know About OpenSSL Vulnerabilities↗2022-11-02

▶

Sentinelone

Everything You Need To Know About OpenSSL Vulnerabilities↗2022-11-02

▶

Talos

Threat Advisory: High Severity OpenSSL Vulnerabilities↗2022-11-01

▶