CVE-2023-21265 — Improper Certificate Validation in System Ca-certificates

CWE-295 — Improper Certificate Validation4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 64.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Platform System Ca-certificates Google Android

Timeline

PublishedAug 14

Description

In multiple locations, there are root CA certificates which need to be disabled. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Androidplatform/system_ca-certificates13-next:0 — 13-next:2023-08-01+4

▶CVEListV5google/android4 versions+3

▶NVDgoogle/android4 versions+3

▶googlegoogle/android

Patches

Patch: android.googlesource.com ↗Patch: source.android.com ↗Patch: android.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-g529-hv2c-7mqf: In multiple locations, there are root CA certificates which need to be disabled↗2023-08-14

▶

OSV

CVE-2023-21265: In multiple locations, there are root CA certificates which need to be disabled↗2023-08-01

▶

📋Vendor Advisories

Android

CVE-2023-21265: Android Security Bulletin 2023-08-01 CVE: CVE-2023-21265 Severity: HIGH Type: ID Affected AOSP versions: 11, 12, 12L, 13 References: A-262521447↗2023-08-01

▶