VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-wwmp-6xck-aaag

Essentials
Severities (87)
References (22)
Severity details (8)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-wwmp-6xck-aaag
Aliases	CVE-2023-5363
Summary	Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-325	Missing Cryptographic Step

System	Score	Found at
cvssv3.1	6.5	https://access.redhat.com/errata/RHSA-2024:2094
ssvc	Track	https://access.redhat.com/errata/RHSA-2024:2094
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5363.json
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01304	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.01998	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02052	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.02188	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05734	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
epss	0.05832	https://api.first.org/data/v1/epss?cve=CVE-2023-5363
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-5363
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-5363
archlinux	Medium	https://security.archlinux.org/AVG-2848
archlinux	Medium	https://security.archlinux.org/AVG-2849

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5363.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-5363
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0df40630850fb2740e6be6890bb905d3fc623b2d
		https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f69f5c65e483928c4b28ed16af6e5742929f1ee
		https://security.netapp.com/advisory/ntap-20231027-0010/
		https://security.netapp.com/advisory/ntap-20240201-0003/
		https://security.netapp.com/advisory/ntap-20240201-0004/
		https://www.debian.org/security/2023/dsa-5532
		https://www.openssl.org/news/secadv/20231024.txt
		http://www.openwall.com/lists/oss-security/2023/10/24/1
2243839		https://bugzilla.redhat.com/show_bug.cgi?id=2243839
AVG-2848		https://security.archlinux.org/AVG-2848
AVG-2849		https://security.archlinux.org/AVG-2849
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
cpe:2.3:o:debian:debian_linux:12.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:12.0:::::::*
CVE-2023-5363		https://nvd.nist.gov/vuln/detail/CVE-2023-5363
RHSA-2024:0310		https://access.redhat.com/errata/RHSA-2024:0310
RHSA-2024:0500		https://access.redhat.com/errata/RHSA-2024:0500
RHSA-2024:1383		https://access.redhat.com/errata/RHSA-2024:1383
RHSA-2024:2094		https://access.redhat.com/errata/RHSA-2024:2094
USN-6450-1		https://usn.ubuntu.com/6450-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/errata/RHSA-2024:2094

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-08T17:12:36Z/ Found at https://access.redhat.com/errata/RHSA-2024:2094

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-5363.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-5363

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-5363

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.38948
EPSS Score	0.00088
Published At	Dec. 17, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.