VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-f4yg-z94s-aaak

Essentials
Severities (92)
References (13)
Severity details (11)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-f4yg-z94s-aaak
Aliases	CVE-2022-3996 GHSA-vr8j-hgmm-jh9r
Summary	If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Update (31 March 2023): The description of the policy processing enablement was corrected based on CVE-2023-0466.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-667	Improper Locking
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-609	Double-Checked Locking

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3996.json
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00118	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00185	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.0019	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.0019	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
epss	0.00577	https://api.first.org/data/v1/epss?cve=CVE-2022-3996
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-vr8j-hgmm-jh9r
cvssv3.1	7.5	https://github.com/alexcrichton/openssl-src-rs
generic_textual	HIGH	https://github.com/alexcrichton/openssl-src-rs
cvssv3.1	7.5	https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
generic_textual	HIGH	https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-3996
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-3996
cvssv3.1	7.5	https://www.openssl.org/news/secadv/20221213.txt
generic_textual	HIGH	https://www.openssl.org/news/secadv/20221213.txt

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3996.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-3996
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/alexcrichton/openssl-src-rs
		https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
		https://security.netapp.com/advisory/ntap-20230203-0003/
		https://www.openssl.org/news/secadv/20221213.txt
1027102		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027102
2153239		https://bugzilla.redhat.com/show_bug.cgi?id=2153239
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
CVE-2022-3996		https://nvd.nist.gov/vuln/detail/CVE-2022-3996
GHSA-vr8j-hgmm-jh9r		https://github.com/advisories/GHSA-vr8j-hgmm-jh9r
USN-6039-1		https://usn.ubuntu.com/6039-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3996.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/alexcrichton/openssl-src-rs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-3996

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-3996

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.openssl.org/news/secadv/20221213.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.44206
EPSS Score	0.00107
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.