Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:conan/openssl@1.0.2i

Type conan

Namespace

Name openssl

Version 1.0.2i

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.1.1w

Latest_non_vulnerable_version 1.1.1w

Affected_by_vulnerabilities

url VCID-w1qj-n768-hbar

vulnerability_id VCID-w1qj-n768-hbar

summary

Excessive Iteration
Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex()
or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long
delays. Where the key or parameters that are being checked have been obtained
from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing
CVE-2023-3446 it was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A correct q value,
if present, cannot be larger than the modulus p parameter, thus it is
unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained
from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions.
An application calling any of those other functions may similarly be affected.
The other functions affected by this are DH_check_ex() and
EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications
when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3817.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-3817.json

reference_url	http://seclists.org/fulldisclosure/2023/Jul/43
reference_id
reference_type
scores
url	http://seclists.org/fulldisclosure/2023/Jul/43

reference_url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5
reference_id
reference_type
scores
url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5

reference_url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644
reference_id
reference_type
scores
url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644

reference_url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f
reference_id
reference_type
scores
url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f

reference_url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5
reference_id
reference_type
scores
url	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5

reference_url	https://www.openssl.org/news/secadv/20230731.txt
reference_id
reference_type
scores
url	https://www.openssl.org/news/secadv/20230731.txt

reference_url	http://www.openwall.com/lists/oss-security/2023/07/31/1
reference_id
reference_type
scores
url	http://www.openwall.com/lists/oss-security/2023/07/31/1

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2227852
reference_id	2227852
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2227852

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-3817
reference_id	CVE-2023-3817
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-3817

reference_url	https://access.redhat.com/errata/RHSA-2023:5931
reference_id	RHSA-2023:5931
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5931

reference_url	https://access.redhat.com/errata/RHSA-2023:7622
reference_id	RHSA-2023:7622
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7622

reference_url	https://access.redhat.com/errata/RHSA-2023:7623
reference_id	RHSA-2023:7623
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7623

reference_url	https://access.redhat.com/errata/RHSA-2023:7625
reference_id	RHSA-2023:7625
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7625

reference_url	https://access.redhat.com/errata/RHSA-2023:7626
reference_id	RHSA-2023:7626
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7626

reference_url	https://access.redhat.com/errata/RHSA-2023:7877
reference_id	RHSA-2023:7877
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7877

reference_url	https://access.redhat.com/errata/RHSA-2024:0154
reference_id	RHSA-2024:0154
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0154

reference_url	https://access.redhat.com/errata/RHSA-2024:0208
reference_id	RHSA-2024:0208
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0208

reference_url	https://access.redhat.com/errata/RHSA-2024:2447
reference_id	RHSA-2024:2447
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2447

fixed_packages

url	pkg:conan/openssl@1.1.1w
purl	pkg:conan/openssl@1.1.1w
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1w

url pkg:conan/openssl@3.0.12

purl pkg:conan/openssl@3.0.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nx5k-32hq-yuh4

resource_url http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.12

url	pkg:conan/openssl@3.1.3
purl	pkg:conan/openssl@3.1.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.1.3

aliases CVE-2023-3817

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w1qj-n768-hbar

Fixing_vulnerabilities

Risk_score 2.4

Resource_url http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.0.2i

Package Instance