CVE-2017-8301
MEDIUMLibreSSL 2.5.1-2.5.3 - Improper Certificate Validation via SSL_get_verify_result
Title source: llmDescription
LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/oss-sec/2017/q2/145
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/libressl-portable/portable/issues/307
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://trac.nginx.org/nginx/ticket/1257
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98076
Scores
CVSS v3
5.3
EPSS
0.0021
EPSS Percentile
43.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-295
Status
published
Products (3)
openbsd/libressl
2.5.1
openbsd/libressl
2.5.2
openbsd/libressl
2.5.3
Published
Apr 27, 2017
Tracked Since
Feb 18, 2026