CVE-2023-0216
HIGHOpenSSL 3.0.0-3.0.6 - Denial of Service via Malformed PKCS7 Data
Title source: llmDescription
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
References (4)
Core 4
Core References
Various Sources
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
Vendor Advisory vendor-advisory
https://www.openssl.org/news/secadv/20230207.txt
Patch, Vendor Advisory patch
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
Third Party Advisory
https://security.gentoo.org/glsa/202402-08
Scores
CVSS v3
7.5
EPSS
0.0085
EPSS Percentile
75.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-476
Status
published
Products (3)
crates.io/openssl-src
300.0.0 - 300.0.12crates.io
openssl/openssl
3.0.0 - 3.0.7
stormshield/stormshield_management_center
< 3.3.3
Published
Feb 08, 2023
Tracked Since
Feb 18, 2026