CVE-2023-0216: openssl-src subject to Invalid pointer dereference in `d2i_PKCS7` functions
(updated )
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.
The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
References
- git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6
- github.com/advisories/GHSA-29xx-hcv2-c4cp
- nvd.nist.gov/vuln/detail/CVE-2023-0216
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003
- rustsec.org/advisories/RUSTSEC-2023-0011.html
- security.gentoo.org/glsa/202402-08
- www.openssl.org/news/secadv/20230207.txt
Code Behaviors & Features
Detect and mitigate CVE-2023-0216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →