VulnerableCode Vulnerability Details - VCID-7wv3-zxsp-aufa

Search for vulnerabilities

Vulnerability details: VCID-7wv3-zxsp-aufa

Essentials
Severities (8)
References (5)
Severity details (0)
Exploits (2)
EPSS
History (1)

Vulnerability ID	VCID-7wv3-zxsp-aufa
Aliases	CVE-2015-1793
Summary	openssl: alternative chains certificate forgery
Status	Published
Exploitability	2.0
Weighted Severity	0.8
Risk	1.6
Affected and Fixed Packages	Package Details

Weaknesses (0)

There are no known CWE.

System	Score	Found at
epss	0.82685	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.82685	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.82685	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.82685	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.85629	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.85629	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.85629	https://api.first.org/data/v1/epss?cve=CVE-2015-1793
epss	0.85629	https://api.first.org/data/v1/epss?cve=CVE-2015-1793

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-1793.json
		https://api.first.org/data/v1/epss?cve=CVE-2015-1793
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
1238619		https://bugzilla.redhat.com/show_bug.cgi?id=1238619
CVE-2015-1793;OSVDB-124300	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/38640.rb

Data source	Exploit-DB
Date added	Nov. 5, 2015
Description	OpenSSL - Alternative Chains Certificate Forgery
Ransomware campaign use	Unknown
Source publication date	Nov. 5, 2015
Exploit type	webapps
Platform	multiple
Source update date	Nov. 5, 2015

Data source	Metasploit
Description	This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. The valid leaf certificate must not contain the keyUsage extension or it must have at least the keyCertSign bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c); otherwise; X509_verify_cert fails with X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. This module requires an active man-in-the-middle attack.
Note	{}
Ransomware campaign use	Unknown
Source publication date	July 9, 2015
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/server/openssl_altchainsforgery_mitm_proxy.rb

There are no known vectors.

Exploit Prediction Scoring System (EPSS)

Percentile	0.99183
EPSS Score	0.82685
Published At	Aug. 12, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T11:04:52.020336+00:00	RedHat Importer	Import	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-1793.json	37.0.0