CVE-2023-0286

CWE-843CWE-70421 documents11 sources
Severity
7.4HIGH
EPSS
89.0%
top 0.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openssl OpensslStormshield Stormshield Management CenterStormshield Stormshield Network Security
Timeline
PublishedFeb 8
Latest updateNov 26

Description

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulner

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages11 packages

crates.ioopenssl-src0.0.0-0111.25.0+2
CVEListV5openssl/openssl3.0.03.0.8+2
NVDopenssl/openssl1.0.21.0.2zg+2
Alpineopenssl< 1.1.1t-r0+9

Patches

Patch: git.openssl.orgPatch: git.openssl.orgPatch: git.openssl.org

🔴Vulnerability Details

9
OSV
CVE-2023-0286: There is a type confusion vulnerability relating to X2023-02-08
OSV
CVE-2023-0286: There is a type confusion vulnerability relating to X2023-02-08
CVEList
X.400 address type confusion in X.509 GeneralName2023-02-08
OSV
Vulnerable OpenSSL included in cryptography wheels2023-02-08
GHSA
Vulnerable OpenSSL included in cryptography wheels2023-02-08

📋Vendor Advisories

10
Ubuntu
EDK II vulnerabilities2025-11-26
Ubuntu
Node.js vulnerabilities2024-01-03
Oracle
Oracle Oracle Communications Risk Matrix: Platform (OpenSSL) — CVE-2023-02862023-07-15
BSD
FreeBSD-SA-23:03.openssl: Multiple vulnerabilities in OpenSSL2023-02-16
Microsoft
X.400 address type confusion in X.509 GeneralName2023-02-14