CVE-2023-0216

HIGH7.5

Invalid pointer dereference in d2i_PKCS7 functions

Published Feb 8, 2023

Modified 2 months ago

No fix available

Details

An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions.

The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.

References

FIXhttps://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=934a04f0e775309cadbef0aa6b9692e1b12a76c6 WEBhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0003 WEBhttps://security.gentoo.org/glsa/202402-08 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2023-0216 ADVISORYhttps://www.openssl.org/news/secadv/20230207.txt

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Ecosystems

Timeline

PublishedFeb 8, 2023

ModifiedNov 4, 2025