{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44399?format=json","vulnerability_id":"VCID-ts7c-u8g2-rqa4","summary":"Access of Resource Using Incompatible Type ('Type Confusion')\nThere is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.","aliases":[{"alias":"CVE-2023-0286"},{"alias":"GHSA-x4qr-2fvf-3mr5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63866?format=json","purl":"pkg:conan/openssl@1.1.1w","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1w"},{"url":"http://public2.vulnerablecode.io/api/packages/63867?format=json","purl":"pkg:conan/openssl@3.0.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nx5k-32hq-yuh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.12"},{"url":"http://public2.vulnerablecode.io/api/packages/31338?format=json","purl":"pkg:pypi/cryptography@39.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzvc-j4et-ukgu"},{"vulnerability":"VCID-jksg-v3x3-z3d3"},{"vulnerability":"VCID-n7hx-bfnn-5kgc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@39.0.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58751?format=json","purl":"pkg:conan/openssl@1.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1hgm-58xg-r7bt"},{"vulnerability":"VCID-3g6n-ujyv-jub3"},{"vulnerability":"VCID-5a2a-trbk-fkfg"},{"vulnerability":"VCID-8q7w-7je3-zkgt"},{"vulnerability":"VCID-as38-bfar-q3hh"},{"vulnerability":"VCID-erdm-7pfg-e7hc"},{"vulnerability":"VCID-ju5y-bakm-mqd8"},{"vulnerability":"VCID-mnkq-e45g-fyfw"},{"vulnerability":"VCID-nqu1-ffyz-wubt"},{"vulnerability":"VCID-taas-512g-jfdw"},{"vulnerability":"VCID-ts7c-u8g2-rqa4"},{"vulnerability":"VCID-uw52-vah8-uqda"},{"vulnerability":"VCID-w1qj-n768-hbar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/58752?format=json","purl":"pkg:conan/openssl@1.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1hgm-58xg-r7bt"},{"vulnerability":"VCID-3g6n-ujyv-jub3"},{"vulnerability":"VCID-8q7w-7je3-zkgt"},{"vulnerability":"VCID-as38-bfar-q3hh"},{"vulnerability":"VCID-erdm-7pfg-e7hc"},{"vulnerability":"VCID-gj2m-z5b6-6yf2"},{"vulnerability":"VCID-ju5y-bakm-mqd8"},{"vulnerability":"VCID-mm8w-472m-puea"},{"vulnerability":"VCID-mnkq-e45g-fyfw"},{"vulnerability":"VCID-n1r2-zqmn-2ufh"},{"vulnerability":"VCID-taas-512g-jfdw"},{"vulnerability":"VCID-ts7c-u8g2-rqa4"},{"vulnerability":"VCID-uw52-vah8-uqda"},{"vulnerability":"VCID-w1qj-n768-hbar"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@1.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/59827?format=json","purl":"pkg:conan/openssl@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1hgm-58xg-r7bt"},{"vulnerability":"VCID-1yjs-f4gq-h7ht"},{"vulnerability":"VCID-3g6n-ujyv-jub3"},{"vulnerability":"VCID-5a2a-trbk-fkfg"},{"vulnerability":"VCID-5rhg-tvzd-h7es"},{"vulnerability":"VCID-86j5-ag2t-2qhj"},{"vulnerability":"VCID-8q7w-7je3-zkgt"},{"vulnerability":"VCID-97cm-wmq1-gkfd"},{"vulnerability":"VCID-as38-bfar-q3hh"},{"vulnerability":"VCID-erdm-7pfg-e7hc"},{"vulnerability":"VCID-f2np-fk61-nbh1"},{"vulnerability":"VCID-gj2m-z5b6-6yf2"},{"vulnerability":"VCID-ju5y-bakm-mqd8"},{"vulnerability":"VCID-m7sy-6spe-6yau"},{"vulnerability":"VCID-mm8w-472m-puea"},{"vulnerability":"VCID-mnkq-e45g-fyfw"},{"vulnerability":"VCID-nqu1-ffyz-wubt"},{"vulnerability":"VCID-nx5k-32hq-yuh4"},{"vulnerability":"VCID-s6rb-rb8j-yfc6"},{"vulnerability":"VCID-sd2f-6nk6-dua6"},{"vulnerability":"VCID-se2f-3x6g-7uc6"},{"vulnerability":"VCID-taas-512g-jfdw"},{"vulnerability":"VCID-tjhj-1wc7-rych"},{"vulnerability":"VCID-ts7c-u8g2-rqa4"},{"vulnerability":"VCID-vyxk-cz2r-ffgf"},{"vulnerability":"VCID-w1qj-n768-hbar"},{"vulnerability":"VCID-yhn2-ctzh-ducy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:conan/openssl@3.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/9809?format=json","purl":"pkg:pypi/cryptography@0.8.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8kj7-du9v-uugw"},{"vulnerability":"VCID-jksg-v3x3-z3d3"},{"vulnerability":"VCID-ts7c-u8g2-rqa4"},{"vulnerability":"VCID-v56n-dpyv-rug7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@0.8.1"}],"references":[{"reference_url":"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt","reference_id":"","reference_type":"","scores":[],"url":"https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt"},{"reference_url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig","reference_id":"","reference_type":"","scores":[],"url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig"},{"reference_url":"https://github.com/pyca/cryptography","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658"},{"reference_url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d","reference_id":"","reference_type":"","scores":[],"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d"},{"reference_url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003","reference_id":"","reference_type":"","scores":[],"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003"},{"reference_url":"https://rustsec.org/advisories/RUSTSEC-2023-0006.html","reference_id":"","reference_type":"","scores":[],"url":"https://rustsec.org/advisories/RUSTSEC-2023-0006.html"},{"reference_url":"https://security.gentoo.org/glsa/202402-08","reference_id":"","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202402-08"},{"reference_url":"https://www.openssl.org/news/secadv/20230207.txt","reference_id":"","reference_type":"","scores":[],"url":"https://www.openssl.org/news/secadv/20230207.txt"},{"reference_url":"https://access.redhat.com/security/cve/cve-2023-0286","reference_id":"CVE-2023-0286","reference_type":"","scores":[],"url":"https://access.redhat.com/security/cve/cve-2023-0286"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0286","reference_id":"CVE-2023-0286","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-0286"},{"reference_url":"https://github.com/advisories/GHSA-x4qr-2fvf-3mr5","reference_id":"GHSA-x4qr-2fvf-3mr5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-x4qr-2fvf-3mr5"},{"reference_url":"https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5","reference_id":"GHSA-x4qr-2fvf-3mr5","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-x4qr-2fvf-3mr5"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":843,"name":"Access of Resource Using Incompatible Type ('Type Confusion')","description":"The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ts7c-u8g2-rqa4"}