Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-nu9f-dbfr-7bfr
Vulnerability ID VCID-nu9f-dbfr-7bfr
Aliases GHSA-hvc7-763r-4f3h
Summary openssl-encrypt has no owner verification on key revocation — any client can revoke any key ### Summary The `revoke_key` method in `openssl_encrypt_server/modules/keyserver/service.py` at **lines 195-270** accepts a `client_id` parameter but never verifies that the requesting client is the same as `key.owner_client_id`. ### Impact Any authenticated client can revoke any other client's key, as long as they provide a valid revocation signature. While the signature requirement mitigates this somewhat (you need the private key to sign), the lack of ownership check is a defense-in-depth gap. ### Recommended Fix - Add an ownership check: verify `client_id == key.owner_client_id` before allowing revocation - Return 403 Forbidden if the requesting client does not own the key ### Fix Fixed in commit `05e45f3` on branch `releases/1.4.x` — added documentation that ML-DSA signature verification IS the cryptographic ownership check; added info-level logging on successful verification.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h
Reference id Reference type URL
https://github.com/jahlives/openssl_encrypt
https://github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d
https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h
GHSA-hvc7-763r-4f3h https://github.com/advisories/GHSA-hvc7-763r-4f3h
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:45:41.588907+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hvc7-763r-4f3h/GHSA-hvc7-763r-4f3h.json 38.6.0