CVE-2023-2975 — Improper Validation of Integrity Check Value in Openssl
Severity
5.3MEDIUMNVD
EPSS
0.2%
top 59.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 14
Latest updateApr 10
Description
Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a consequence.
Impact summary: Applications that use the AES-SIV algorithm and want to
authenticate empty data entries as associated data can be misled by removing,
adding or reordering such empty entries as these are ignored by the OpenSSL
implementation. We are currently unaware of any such applications.
The AES-SIV algorithm allows for authentic…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages11 packages
Patches
🔴Vulnerability Details
4OSV▶
CVE-2023-2975: Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a↗2023-07-14
OSV▶
CVE-2023-2975: Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a↗2023-07-14
GHSA▶
GHSA-hpqg-7fjp-436p: Issue summary: The AES-SIV cipher implementation contains a bug that causes
it to ignore empty associated data entries which are unauthenticated as
a↗2023-07-14