VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-c5pw-dhyr-aaad

Essentials
Severities (98)
References (18)
Severity details (11)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-c5pw-dhyr-aaad
Aliases	CVE-2023-2975
Summary	Issue summary: The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence. Impact summary: Applications that use the AES-SIV algorithm and want to authenticate empty data entries as associated data can be mislead by removing adding or reordering such empty entries as these are ignored by the OpenSSL implementation. We are currently unaware of any such applications. The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such a call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. As this issue does not affect non-empty associated data authentication and we expect it to be rare for an application to use empty associated data entries this is qualified as Low severity issue.
Status	Published
Exploitability	0.5
Weighted Severity	4.8
Risk	2.4
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-287	Improper Authentication
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-354	Improper Validation of Integrity Check Value

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2975.json
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00137	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00141	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00224	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00344	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00380	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00380	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00488	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
epss	0.00772	https://api.first.org/data/v1/epss?cve=CVE-2023-2975
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598
cvssv3.1	5.3	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
cvssv3	5.3	https://nvd.nist.gov/vuln/detail/CVE-2023-2975
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2023-2975
cvssv3.1	5.3	https://www.openssl.org/news/secadv/20230714.txt
generic_textual	LOW	https://www.openssl.org/news/secadv/20230714.txt
ssvc	Track	https://www.openssl.org/news/secadv/20230714.txt

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2975.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-2975
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc
		https://security.netapp.com/advisory/ntap-20230725-0004/
		https://www.openssl.org/news/secadv/20230714.txt
		http://www.openwall.com/lists/oss-security/2023/07/15/1
		http://www.openwall.com/lists/oss-security/2023/07/19/5
1041818		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041818
2223016		https://bugzilla.redhat.com/show_bug.cgi?id=2223016
cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
CVE-2023-2975		https://nvd.nist.gov/vuln/detail/CVE-2023-2975
GLSA-202402-08		https://security.gentoo.org/glsa/202402-08
RHSA-2024:2447		https://access.redhat.com/errata/RHSA-2024:2447
USN-6450-1		https://usn.ubuntu.com/6450-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-2975.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:23Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=00e2f5eea29994d19293ec4e8c8775ba73678598

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:23Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6a83f0c958811f07e0d11dfc6b5a6a98edfd5bdc

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-2975

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-2975

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://www.openssl.org/news/secadv/20230714.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:23Z/ Found at https://www.openssl.org/news/secadv/20230714.txt

Exploit Prediction Scoring System (EPSS)

Percentile	0.34768
EPSS Score	0.00137
Published At	April 15, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.