Published: 09/07/2015 Updated: 07/11/2023

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9

VMScore: 645

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Subscribe to Supply Chain Products Suite

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote malicious users to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

Vulnerable Product	Search on Vulmon	Subscribe to Product
oracle supply chain products suite 6.1.2.2
oracle supply chain products suite 6.2.0
oracle supply chain products suite 6.1.3.0
oracle jd edwards enterpriseone tools 9.2
oracle jd edwards enterpriseone tools 9.1
openssl openssl 1.0.2b
openssl openssl 1.0.2c
openssl openssl 1.0.1n
openssl openssl 1.0.1o
oracle opus 10g ethernet switch family

During certificate verfification, OpenSSL (starting from version 101n and 102b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, e ...

A flaw was found in the way OpenSSL verified alternative certificate chains An attacker able to supply a certificate chain to an SSL/TLS or DTLS client or an SSL/TLS or DTLS server using client authentication could use this flaw to bypass certain checks in the verification process, possibly allowing them to use one of the certificates in the suppl ...

SecurityCenter and PVS are potentially impacted by a vulnerability in OpenSSL that was recently disclosed and fixed Note that due to the time involved in doing a full analysis of the issue, Tenable has opted to patch the included version of OpenSSL as a precaution, and to save time OpenSSL crypto/x509/x509_vfyc X509_verify_cert() Function Alter ...

#!/usr/bin/env ruby # encoding: ASCII-8BIT # By Ramon de C Valle This work is dedicated to the public domain require 'openssl' require 'optparse' require 'socket' Version = [0, 0, 1] Release = nil class String def hexdump(stream=$stdout) 0step(bytesize - 1, 16) do |i| streamprintf('%08x ', i) 0upto(15) do |j| str ...

Orion Elite Hidden IP Browser Pro versions 10 through 79 have insecure versions of Tor and OpenSSL included and also suffer from man-in-the-middle vulnerabilities ...

HPE rushes out patch for more than a year of OpenSSL vulns

The Register • Richard Chirgwin • 06 Jul 2016

Logjam in patch pipeline cleared at last

HP Enterprise has popped into its Tardis, and gone back in time to patch OpenSSL bugs dating back to 2014 – including the infamous Logjam bug. The bugs are in various network products: Intelligent Management Center (iMC), the VCX unified communications products, and the Comware network operating system. The company's notice cites Common Vulnerability and Exposure (CVE) advisories CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, and CVE-2015-1793. Most o...

CWE-254 http://openssl.org/news/secadv_20150709.txt http://marc.info/?l=bugtraq&m=143880121627664&w=2 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10694 http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.securityfocus.com/bid/91787 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05045763 http://marc.info/?l=bugtraq&m=144370846326989&w=2 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.securityfocus.com/bid/75652 http://fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454058.htm http://www.fortiguard.com/advisory/2015-07-09-cve-2015-1793-openssl-alternative-chains-certificate-forgery https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04822825 https://kc.mcafee.com/corporate/index?page=content&id=SB10125 https://security.gentoo.org/glsa/201507-15 http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.561427 http://www.securitytracker.com/id/1032817 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150710-openssl http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161782.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161747.html https://www.exploit-db.com/exploits/38640/http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=9a0db453ba017ebcaccbee933ee6511a9ae4d1c8 https://nvd.nist.gov https://alas.aws.amazon.com/ALAS-2015-564.html https://www.exploit-db.com/exploits/38640/

CVE-2015-1793

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Recent Articles

References

Vulmon Search

About

Products

Connect