Vulnerability Details CVE-2009-0127
M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 25.1%
CVSS Severity
CVSS v2 Score 5.0
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515
- http://openwall.com/lists/oss-security/2009/01/12/4
- https://bugzilla.redhat.com/show_bug.cgi?id=479676
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511515
- http://openwall.com/lists/oss-security/2009/01/12/4
- https://bugzilla.redhat.com/show_bug.cgi?id=479676
Products affected by CVE-2009-0127
-
cpe:2.3:a:heikkitoivonen:m2crypto:-