Reported

May 1, 2021

Issued

May 1, 2021 (last modified: June 13, 2023)

Package

openssl-src (crates.io)

Type

Vulnerability

Categories

• denial-of-service

Aliases

• CVE-2021-23840
• GHSA-qgm6-9472-pwq7

References

• https://www.openssl.org/news/secadv/20210216.txt

CVSS Score

7.5 HIGH

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

• >=111.14

Description

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash.

Advisory available under CC0-1.0 license.