Reported

May 3, 2022

Issued

May 19, 2022 (last modified: June 13, 2023)

Package

openssl-src (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Aliases

• CVE-2022-1343
• GHSA-mfm6-r9g2-q4r7

References

• https://www.openssl.org/news/secadv/20220503.txt

CVSS Score

5.3 MEDIUM

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Patched

• >=300.0.6

Unaffected

• <300.0

Description

The function OCSP_basic_verify verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify.

It is anticipated that most users of OCSP_basic_verify will not use the OCSP_NOCHECKS flag. In this case the OCSP_basic_verify function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0.

Advisory available under CC0-1.0 license.