CVE-2022-3996 – openssl-src

Package

Manager: cargo
Name: openssl-src
Vulnerable Version: >=300.0.0 <300.0.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00149 pctl0.35968

Details

Denial of service by double-checked locking in openssl-src If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the `-policy' argument to the command line utilities or by calling either `X509_VERIFY_PARAM_add0_policy()' or `X509_VERIFY_PARAM_set1_policies()' functions.

Metadata

Created: 2022-12-13T18:30:33Z
Modified: 2024-10-02T18:03:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-vr8j-hgmm-jh9r/GHSA-vr8j-hgmm-jh9r.json
CWE IDs: ["CWE-667"]
Alternative ID: GHSA-vr8j-hgmm-jh9r
Finding: F115
Auto approve: 1