- Reported
-
- Issued
-
- Package
-
openssl-src
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Aliases
-
- References
-
- CVSS Score
- 5.3
MEDIUM
- CVSS Details
-
- Attack vector
- Network
- Attack complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- Low
- Availability
- None
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Patched
-
- Unaffected
-
Description
The function OCSP_basic_verify
verifies the signer certificate on an OCSP
response. In the case where the (non-default) flag OCSP_NOCHECKS is used then
the response will be positive (meaning a successful verification) even in the
case where the response signing certificate fails to verify.
It is anticipated that most users of OCSP_basic_verify
will not use the
OCSP_NOCHECKS flag. In this case the OCSP_basic_verify
function will return
a negative value (indicating a fatal error) in the case of a certificate
verification failure. The normal expected return value in this case would be 0.
Advisory available under CC0-1.0
license.