logo

Database

Improper authorization control for web services In openssl-encrypt

Description

openssl-encrypt has no owner verification on key revocation — any client can revoke any key

Summary

The revoke_key method in openssl_encrypt_server/modules/keyserver/service.py at lines 195-270 accepts a client_id parameter but never verifies that the requesting client is the same as key.owner_client_id.

Impact

Any authenticated client can revoke any other client's key, as long as they provide a valid revocation signature. While the signature requirement mitigates this somewhat (you need the private key to sign), the lack of ownership check is a defense-in-depth gap.

Recommended Fix

    Add an ownership check: verify client_id == key.owner_client_id before allowing revocation

    Return 403 Forbidden if the requesting client does not own the key

Fix

Fixed in commit 05e45f3 on branch releases/1.4.x — added documentation that ML-DSA signature verification IS the cryptographic ownership check; added info-level logging on successful verification.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-hvc7-763r-4f3h2. GCVE-GHSA-hvc7-763r-4f3h

References

1. https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-hvc7-763r-4f3h2. https://github.com/jahlives/openssl_encrypt/commit/05e45f393886b5bf7e924d2dd42099a9dd37f91d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.