DEBIAN-CVE-2023-0465

DEBIAN-CVE-2023-0465 PUBLISHED CVSS 5.300000190734863 MEDIUM

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function.

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:14	openssl	0, 0, 0
Debian:13	openssl	0, 0, 0
Debian:12	openssl	0, 0, 0
Debian:11	openssl	1.1.1, 1.1.1, 1.1.1

Exploit Intelligence

Rapport_149185019.html (github-poc)
TestCommand.yaml (github-poc)

Timeline

Mar 28, 2023 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2023-0465 advisory

Open in Interactive Console →