Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/44399?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44399?format=api", "vulnerability_id": "VCID-ts7c-u8g2-rqa4", "summary": "Access of Resource Using Incompatible Type ('Type Confusion')\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.", "aliases": [ { "alias": "CVE-2023-0286" }, { "alias": "GHSA-x4qr-2fvf-3mr5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63866?format=api", "purl": "pkg:conan/openssl@1.1.1w", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1w" }, { "url": "http://public2.vulnerablecode.io/api/packages/63867?format=api", "purl": "pkg:conan/openssl@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-nx5k-32hq-yuh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/31338?format=api", "purl": "pkg:pypi/cryptography@39.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dzvc-j4et-ukgu" }, { "vulnerability": "VCID-jksg-v3x3-z3d3" }, { "vulnerability": "VCID-n7hx-bfnn-5kgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@39.0.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/58751?format=api", "purl": "pkg:conan/openssl@1.0.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1hgm-58xg-r7bt" }, { "vulnerability": "VCID-3g6n-ujyv-jub3" }, { "vulnerability": "VCID-5a2a-trbk-fkfg" }, { "vulnerability": "VCID-8q7w-7je3-zkgt" }, { "vulnerability": "VCID-as38-bfar-q3hh" }, { "vulnerability": "VCID-erdm-7pfg-e7hc" }, { "vulnerability": "VCID-ju5y-bakm-mqd8" }, { "vulnerability": "VCID-mnkq-e45g-fyfw" }, { "vulnerability": "VCID-nqu1-ffyz-wubt" }, { "vulnerability": "VCID-taas-512g-jfdw" }, { "vulnerability": "VCID-ts7c-u8g2-rqa4" }, { "vulnerability": "VCID-uw52-vah8-uqda" }, { "vulnerability": "VCID-w1qj-n768-hbar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.0.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/58752?format=api", "purl": "pkg:conan/openssl@1.1.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1hgm-58xg-r7bt" }, { "vulnerability": "VCID-3g6n-ujyv-jub3" }, { "vulnerability": "VCID-8q7w-7je3-zkgt" }, { "vulnerability": "VCID-as38-bfar-q3hh" }, { "vulnerability": "VCID-erdm-7pfg-e7hc" }, { "vulnerability": "VCID-gj2m-z5b6-6yf2" }, { "vulnerability": "VCID-ju5y-bakm-mqd8" }, { "vulnerability": "VCID-mm8w-472m-puea" }, { "vulnerability": "VCID-mnkq-e45g-fyfw" }, { "vulnerability": "VCID-n1r2-zqmn-2ufh" }, { "vulnerability": "VCID-taas-512g-jfdw" }, { "vulnerability": "VCID-ts7c-u8g2-rqa4" }, { "vulnerability": "VCID-uw52-vah8-uqda" }, { "vulnerability": "VCID-w1qj-n768-hbar" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/59827?format=api", "purl": "pkg:conan/openssl@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1hgm-58xg-r7bt" }, { "vulnerability": "VCID-1yjs-f4gq-h7ht" }, { "vulnerability": "VCID-3g6n-ujyv-jub3" }, { "vulnerability": "VCID-5a2a-trbk-fkfg" }, { "vulnerability": "VCID-5rhg-tvzd-h7es" }, { "vulnerability": "VCID-86j5-ag2t-2qhj" }, { "vulnerability": "VCID-8q7w-7je3-zkgt" }, { "vulnerability": "VCID-97cm-wmq1-gkfd" }, { "vulnerability": "VCID-as38-bfar-q3hh" }, { "vulnerability": "VCID-erdm-7pfg-e7hc" }, { "vulnerability": "VCID-f2np-fk61-nbh1" }, { "vulnerability": "VCID-gj2m-z5b6-6yf2" }, { "vulnerability": "VCID-ju5y-bakm-mqd8" }, { "vulnerability": "VCID-m7sy-6spe-6yau" }, { "vulnerability": "VCID-mm8w-472m-puea" }, { "vulnerability": "VCID-mnkq-e45g-fyfw" }, { "vulnerability": "VCID-nqu1-ffyz-wubt" }, { "vulnerability": "VCID-nx5k-32hq-yuh4" }, { "vulnerability": "VCID-s6rb-rb8j-yfc6" }, { "vulnerability": "VCID-sd2f-6nk6-dua6" }, { "vulnerability": "VCID-se2f-3x6g-7uc6" }, { "vulnerability": "VCID-taas-512g-jfdw" }, { "vulnerability": "VCID-tjhj-1wc7-rych" }, { "vulnerability": "VCID-ts7c-u8g2-rqa4" }, { "vulnerability": "VCID-vyxk-cz2r-ffgf" }, { "vulnerability": "VCID-w1qj-n768-hbar" }, { "vulnerability": "VCID-yhn2-ctzh-ducy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/9809?format=api", "purl": "pkg:pypi/cryptography@0.8.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8kj7-du9v-uugw" }, { "vulnerability": "VCID-jksg-v3x3-z3d3" }, { "vulnerability": "VCID-ts7c-u8g2-rqa4" }, { "vulnerability": "VCID-v56n-dpyv-rug7" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@0.8.1" } ], "references": [ { "reference_url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt" }, { "reference_url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig", "reference_id": "", "reference_type": "", "scores": [], "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658" }, { "reference_url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d", "reference_id": "", "reference_type": "", "scores": [], "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d" }, { "reference_url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003", "reference_id": "", "reference_type": "", "scores": [], "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003" }, { "reference_url": "https://rustsec.org/advisories/RUSTSEC-2023-0006.html", "reference_id": "", "reference_type": "", "scores": [], "url": "https://rustsec.org/advisories/RUSTSEC-2023-0006.html" }, { "reference_url": "https://security.gentoo.org/glsa/202402-08", "reference_id": "", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202402-08" }, { "reference_url": "https://www.openssl.org/news/secadv/20230207.txt", "reference_id": "", "reference_type": "", "scores": [], "url": "https://www.openssl.org/news/secadv/20230207.txt" }, { "reference_url": "https://access.redhat.com/security/cve/cve-2023-0286", "reference_id": "CVE-2023-0286", "reference_type": "", "scores": [], "url": "https://access.redhat.com/security/cve/cve-2023-0286" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286", "reference_id": "CVE-2023-0286", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0286" }, { "reference_url": "https://github.com/advisories/GHSA-x4qr-2fvf-3mr5", "reference_id": "GHSA-x4qr-2fvf-3mr5", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-x4qr-2fvf-3mr5" }, { "reference_url": "https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5", "reference_id": "GHSA-x4qr-2fvf-3mr5", "reference_type": "", "scores": [], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 843, "name": "Access of Resource Using Incompatible Type ('Type Confusion')", "description": "The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ts7c-u8g2-rqa4" }