{"url":"http://public2.vulnerablecode.io/api/packages/60984?format=json","purl":"pkg:conan/openssl@1.0.2zd","type":"conan","namespace":"","name":"openssl","version":"1.0.2zd","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.1.0l","latest_non_vulnerable_version":"3.2.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/45761?format=json","vulnerability_id":"VCID-w1qj-n768-hbar","summary":"Excessive Iteration\nIssue summary: Checking excessively long DH keys or parameters may be very slow.\n\nImpact summary: Applications that use the functions DH_check(), DH_check_ex()\nor EVP_PKEY_param_check() to check a DH key or DH parameters may experience long\ndelays. Where the key or parameters that are being checked have been obtained\nfrom an untrusted source this may lead to a Denial of Service.\n\nThe function DH_check() performs various checks on DH parameters. After fixing\nCVE-2023-3446 it was discovered that a large q parameter value can also trigger\nan overly long computation during some of these checks. A correct q value,\nif present, cannot be larger than the modulus p parameter, thus it is\nunnecessary to perform these checks if q is larger than p.\n\nAn application that calls DH_check() and supplies a key or parameters obtained\nfrom an untrusted source could be vulnerable to a Denial of Service attack.\n\nThe function DH_check() is itself called by a number of other OpenSSL functions.\nAn application calling any of those other functions may similarly be affected.\nThe other functions affected by this are DH_check_ex() and\nEVP_PKEY_param_check().\n\nAlso vulnerable are the OpenSSL dhparam and pkeyparam command line applications\nwhen using the \"-check\" option.\n\nThe OpenSSL SSL/TLS implementation is not affected by this issue.\n\nThe OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.","references":[{"reference_url":"http://seclists.org/fulldisclosure/2023/Jul/43","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/fulldisclosure/2023/Jul/43"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a1eb62c29db6cb5eec707f9338aee00f44e26f5"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=869ad69aadd985c7b8ca6f4e5dd0eb274c9f3644"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9002fd07327a91f35ba6c1307e71fa6fd4409b7f"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=91ddeba0f2269b017dc06c46c993a788974b1aa5"},{"reference_url":"https://www.openssl.org/news/secadv/20230731.txt","reference_id":"","reference_type":"","scores":[],"url":"https://www.openssl.org/news/secadv/20230731.txt"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/07/31/1","reference_id":"","reference_type":"","scores":[],"url":"http://www.openwall.com/lists/oss-security/2023/07/31/1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3817","reference_id":"CVE-2023-3817","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-3817"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63866?format=json","purl":"pkg:conan/openssl@1.1.1w","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1w"},{"url":"http://public2.vulnerablecode.io/api/packages/63867?format=json","purl":"pkg:conan/openssl@3.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nx5k-32hq-yuh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/64354?format=json","purl":"pkg:conan/openssl@3.1.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.1.3"}],"aliases":["CVE-2023-3817"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w1qj-n768-hbar"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42671?format=json","vulnerability_id":"VCID-nqu1-ffyz-wubt","summary":"Loop with Unreachable Exit Condition ('Infinite Loop')\nThe BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters","references":[{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20220321-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20220321-0002/"},{"reference_url":"https://www.debian.org/security/2022/dsa-5103","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2022/dsa-5103"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778","reference_id":"CVE-2022-0778","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/60984?format=json","purl":"pkg:conan/openssl@1.0.2zd","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1qj-n768-hbar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.0.2zd"},{"url":"http://public2.vulnerablecode.io/api/packages/60985?format=json","purl":"pkg:conan/openssl@1.1.1n","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-w1qj-n768-hbar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1n"},{"url":"http://public2.vulnerablecode.io/api/packages/60986?format=json","purl":"pkg:conan/openssl@3.0.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.2"}],"aliases":["CVE-2022-0778"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nqu1-ffyz-wubt"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.0.2zd"}