CVE-2023-5363 — Incorrect Provision of Specified Functionality in Openssl
Severity
7.5HIGHNVD
OSV5.3
EPSS
4.7%
top 10.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 25
Latest updateJun 12
Description
Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths. This can lead to potential truncation
or overruns during the initialisation of some symmetric ciphers.
Impact summary: A truncation in the IV can result in non-uniqueness,
which could result in loss of confidentiality for some cipher modes.
When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or
EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after
the key and IV have …
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages16 packages
Also affects: Debian Linux 12.0
Patches
🔴Vulnerability Details
4OSV▶
CVE-2023-5363: Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths↗2023-10-25
GHSA▶
GHSA-xw78-pcr6-wrg8: Issue summary: A bug has been identified in the processing of key and
initialisation vector (IV) lengths↗2023-10-25
OSV▶
CVE-2023-5363: Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths↗2023-10-25