VulnerableCode Package Details - pkg:conan/openssl@3.0.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-1ggt-ugh5-jqeu Aliases: CVE-2023-0216 GHSA-29xx-hcv2-c4cp	NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.	3.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-8s28-acfa-kkhj Aliases: CVE-2023-0217 GHSA-vxrh-cpg7-8vjr	NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.	3.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-ncw4-3azc-1fb5 Aliases: CVE-2022-3996 GHSA-vr8j-hgmm-jh9r	Denial of service by double-checked locking in openssl-src If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.	3.0.8 Affected by 0 other vulnerabilities.
VCID-xqt3-3um9-8faq Aliases: CVE-2023-0401 GHSA-vrh7-x64v-7vxq	NULL Pointer Dereference A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.	3.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1ggt-ugh5-jqeu
Aliases:
CVE-2023-0216
GHSA-29xx-hcv2-c4cp

NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.

3.0.12
Affected by 1 other vulnerability.

VCID-8s28-acfa-kkhj
Aliases:
CVE-2023-0217
GHSA-vxrh-cpg7-8vjr

NULL Pointer Dereference An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.

3.0.12
Affected by 1 other vulnerability.

VCID-ncw4-3azc-1fb5
Aliases:
CVE-2022-3996
GHSA-vr8j-hgmm-jh9r

Denial of service by double-checked locking in openssl-src If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

3.0.8
Affected by 0 other vulnerabilities.

VCID-xqt3-3um9-8faq
Aliases:
CVE-2023-0401
GHSA-vrh7-x64v-7vxq

NULL Pointer Dereference A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.

3.0.12
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:28:32.798831+00:00	GitLab Importer	Affected by	VCID-ncw4-3azc-1fb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2022-3996.yml	38.1.0
2026-04-03T21:28:14.088800+00:00	GitLab Importer	Fixing	VCID-71yj-bmak-pkdu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2022-3602.yml	38.1.0
2026-04-03T21:28:13.698429+00:00	GitLab Importer	Fixing	VCID-xq7s-zrwb-yffw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2022-3786.yml	38.1.0
2026-04-01T12:50:52.329273+00:00	GitLab Importer	Affected by	VCID-8s28-acfa-kkhj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2023-0217.yml	38.0.0
2026-04-01T12:50:52.288123+00:00	GitLab Importer	Affected by	VCID-xqt3-3um9-8faq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2023-0401.yml	38.0.0
2026-04-01T12:50:52.232964+00:00	GitLab Importer	Affected by	VCID-1ggt-ugh5-jqeu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/conan/openssl/CVE-2023-0216.yml	38.0.0