CVE-2024-12797 — Missing Report of Error Condition in Openssl
Severity
6.3MEDIUMNVD
EPSS
0.8%
top 26.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedFeb 11
Latest updateApr 10
Description
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
server may fail to notice that the server was not authenticated, because
handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode
is set.
Impact summary: TLS and DTLS connections using raw public keys may be
vulnerable to man-in-middle attacks when server authentication failure is not
detected by clients.
RPKs are disabled by default in both TLS clients and TLS servers. The issue
only arises when…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4
Affected Packages24 packages
🔴Vulnerability Details
6VulDB▶
OpenSSL up to 3.4.0 RFC7250 Raw Public Key error condition (Nessus ID 216104 / WID-SEC-2025-1850)↗2026-04-10
OSV▶
CVE-2024-12797: Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because↗2025-02-11
OSV▶
CVE-2024-12797: Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a
server may fail to notice that the server was not authenticated, because↗2025-02-11
📋Vendor Advisories
8Oracle
▶
Oracle▶
Oracle Oracle Communications Risk Matrix: Alarms, KPI, and Measurements (Cryptography) — CVE-2024-12797↗2025-07-15
Oracle
▶