VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-kxc1-w2u3-aaak

Essentials
Severities (102)
References (17)
Severity details (18)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-kxc1-w2u3-aaak
Aliases	CVE-2023-0401 GHSA-vrh7-x64v-7vxq
Summary	A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-476	NULL Pointer Dereference
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0401.json
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00374	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00530	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00945	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00971	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.00971	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
epss	0.01585	https://api.first.org/data/v1/epss?cve=CVE-2023-0401
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-vrh7-x64v-7vxq
cvssv3.1	7.5	https://github.com/alexcrichton/openssl-src-rs
generic_textual	HIGH	https://github.com/alexcrichton/openssl-src-rs
cvssv3.1	7.5	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674
generic_textual	HIGH	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674
ssvc	Track	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-0401
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-0401
cvssv3.1	7.5	https://rustsec.org/advisories/RUSTSEC-2023-0013.html
generic_textual	HIGH	https://rustsec.org/advisories/RUSTSEC-2023-0013.html
cvssv3.1	7.5	https://security.gentoo.org/glsa/202402-08
ssvc	Track	https://security.gentoo.org/glsa/202402-08
cvssv3.1	7.4	https://www.openssl.org/news/secadv/20230207.txt
cvssv3.1	7.5	https://www.openssl.org/news/secadv/20230207.txt
generic_textual	HIGH	https://www.openssl.org/news/secadv/20230207.txt
ssvc	Track	https://www.openssl.org/news/secadv/20230207.txt

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0401.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-0401
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/alexcrichton/openssl-src-rs
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674
		https://rustsec.org/advisories/RUSTSEC-2023-0013.html
		https://www.openssl.org/news/secadv/20230207.txt
2164500		https://bugzilla.redhat.com/show_bug.cgi?id=2164500
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
cpe:2.3:a:stormshield:stormshield_management_center::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:stormshield:stormshield_management_center::::::::
CVE-2023-0401		https://nvd.nist.gov/vuln/detail/CVE-2023-0401
GHSA-vrh7-x64v-7vxq		https://github.com/advisories/GHSA-vrh7-x64v-7vxq
GLSA-202402-08		https://security.gentoo.org/glsa/202402-08
RHSA-2023:0946		https://access.redhat.com/errata/RHSA-2023:0946
RHSA-2023:1199		https://access.redhat.com/errata/RHSA-2023:1199
USN-5844-1		https://usn.ubuntu.com/5844-1/
USN-6564-1		https://usn.ubuntu.com/6564-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-0401.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/alexcrichton/openssl-src-rs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:52Z/ Found at https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d3b6dfd70db844c4499bec6ad6601623a565e674

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-0401

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-0401

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://rustsec.org/advisories/RUSTSEC-2023-0013.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.gentoo.org/glsa/202402-08

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:52Z/ Found at https://security.gentoo.org/glsa/202402-08

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Found at https://www.openssl.org/news/secadv/20230207.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.openssl.org/news/secadv/20230207.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T13:26:52Z/ Found at https://www.openssl.org/news/secadv/20230207.txt

Exploit Prediction Scoring System (EPSS)

Percentile	0.72405
EPSS Score	0.00374
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.