Vulnerability Details CVE-2004-0004
The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 75.9%
CVSS Severity
CVSS v2 Score 7.5
References
- http://marc.info/?l=bugtraq&m=107427313700554&w=2
- http://www.kb.cert.org/vuls/id/336446
- http://www.openca.org/news/CAN-2004-0004.txt
- http://www.osvdb.org/3615
- http://www.securityfocus.com/bid/9435
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14847
- http://marc.info/?l=bugtraq&m=107427313700554&w=2
- http://www.kb.cert.org/vuls/id/336446
- http://www.openca.org/news/CAN-2004-0004.txt
- http://www.osvdb.org/3615
- http://www.securityfocus.com/bid/9435
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14847