CVE-2023-0215

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-0215
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-02-08 20:15:00 UTC
Updated2024-02-04 09:15:00 UTC
DescriptionThe public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.

Risk And Classification

Problem Types: CWE-416

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Openssl Openssl All All All All
Application Stormshield Stormshield Management Center All All All All

References

ReferenceSourceLinkTags
www.openssl.org/news/secadv/20230207.txt MISC www.openssl.org
git.openssl.org Git - openssl.git/commitdiff MISC git.openssl.org
git.openssl.org Git - openssl.git/commitdiff MISC git.openssl.org
April 2023 MySQL Server Vulnerabilities in NetApp Products | NetApp Product Security MISC security.netapp.com
OpenSSL: Multiple Vulnerabilities (GLSA 202402-08) — Gentoo security security.gentoo.org
git.openssl.org Git - openssl.git/commitdiff MISC git.openssl.org
CVE-2023-0215 MySQL Connector/ODBC Vulnerability in NetApp Products | NetApp Product Security MISC security.netapp.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160481 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-0946)
  • 160492 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12152)
  • 160521 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-1405)
  • 160523 Oracle Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ELSA-2023-12213)
  • 160621 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-2165)
  • 160668 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-2932)
  • 161209 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13026)
  • 161210 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13024)
  • 161212 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-32791)
  • 161213 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13025)
  • 161214 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-13027)
  • 161215 Oracle Enterprise Linux Security Update for edk2 (ELSA-2023-32790)
  • 181546 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DSA 5343-1)
  • 181593 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (DLA 3325-1)
  • 182419 Debian Security Update for Open Secure Sockets Layer (OpenSSL) (CVE-2023-0215)
  • 199150 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5844-1)
  • 199151 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5845-1)
  • 199518 Ubuntu Security Notification for Open Secure Sockets Layer (OpenSSL) Vulnerabilities (USN-5845-2)
  • 200021 Ubuntu Security Notification for Node.js Vulnerabilities (USN-6564-1)
  • 20344 Oracle MySQL April 2023 Critical Patch Update (CPUAPR2023)
  • 241227 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:0946)
  • 241256 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1199)
  • 241285 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:1405)
  • 241469 Red Hat Update for edk2 security (RHSA-2023:2165)
  • 241496 Red Hat Update for edk2 (RHSA-2023:2932)
  • 241568 Red Hat Update for Open Secure Sockets Layer (OpenSSL) (RHSA-2023:3408)
  • 241574 Red Hat Update for JBoss Core Services (RHSA-2023:3354)
  • 241833 Red Hat Update for edk2 (RHSA-2023:4128)
  • 283694 Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2023-57f33242bc)
  • 283709 Fedora Security Update for edk2 (FEDORA-2023-e1ffb79ddf)
  • 283736 Fedora Security Update for Open Secure Sockets Layer (OpenSSL) (FEDORA-2023-a5564c0a3f)
  • 283759 Fedora Security Update for edk2 (FEDORA-2023-e821b64a4c)
  • 296101 Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)
  • 330133 IBM Advanced Interactive eXecutive (AIX) Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (openssl_advisory38)
  • 354734 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS-2023-1683
  • 354735 Amazon Linux Security Advisory for Open Secure Sockets Layer11 (OpenSSL11) : ALAS2-2023-1934
  • 354737 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2-2023-1935
  • 355058 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : AL2012-2023-382
  • 355230 Amazon Linux Security Advisory for Open Secure Sockets Layer (OpenSSL) : ALAS2023-2023-101
  • 356233 Amazon Linux Security Advisory for openssl-snapsafe : ALASOPENSSL-SNAPSAFE-2023-002
  • 356483 Amazon Linux Security Advisory for openssl-snapsafe : ALAS2OPENSSL-SNAPSAFE-2023-002
  • 357333 Amazon Linux Security Advisory for edk2 : ALAS2-2024-2502
  • 378416 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX3-SA-2023:0033)
  • 378430 Oracle MySQL Connectors 8.0.x Denial of Service (DoS) Vulnerability (CPUAPR2023)
  • 378438 HCL BigFix Multiple Security Vulnerabilities (KB0103724)
  • 378445 F5 BIG-IP Denial of Service (DoS) Vulnerability (K000132946)
  • 378515 Alibaba Cloud Linux Security Update for edk2 (ALINUX3-SA-2023:0044)
  • 378599 Splunk Enterprise Third Party Package Updates for June (SVD-2023-0613)
  • 379452 IBM Cognos Analytics Multiple Vulnerabilities (7123154)
  • 38894 Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities
  • 43991 Hewlett Packard Enterprise (HPE) ArubaOS Multiple Vulnerabilities (ARUBA-PSA-2023-001)
  • 502652 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
  • 502653 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
  • 502757 Alpine Linux Security Update for openssl
  • 502907 Alpine Linux Security Update for openssl1.1-compat
  • 505784 Alpine Linux Security Update for openssl1.1-compat
  • 672879 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1602)
  • 672984 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1875)
  • 673006 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1850)
  • 673018 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1982)
  • 673042 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-1960)
  • 673060 EulerOS Security Update for shim-signed (EulerOS-SA-2023-2170)
  • 673064 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-2161)
  • 673072 EulerOS Security Update for shim (EulerOS-SA-2023-2169)
  • 673136 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-2299)
  • 673156 EulerOS Security Update for Open Secure Sockets Layer (OpenSSL) (EulerOS-SA-2023-2275)
  • 673398 EulerOS Security Update for linux-sgx (EulerOS-SA-2023-3047)
  • 691051 Free Berkeley Software Distribution (FreeBSD) Security Update for Open Secure Sockets Layer (OpenSSL) (648a432c-a71f-11ed-86e9-d4c9ef517024)
  • 710857 Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202402-08)
  • 730818 IBM MQ Appliance Multiple Security Vulnerabilities (6986567)
  • 753631 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305-1)
  • 753633 SUSE Enterprise Linux Security Update for openssl1 (SUSE-SU-2023:0307-1)
  • 753634 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0306-1)
  • 753636 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0310-1)
  • 753637 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0308-1)
  • 753640 SUSE Enterprise Linux Security Update for openssl-3 (SUSE-SU-2023:0312-1)
  • 753647 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0311-1)
  • 753649 SUSE Enterprise Linux Security Update for openssl-1_1 (SUSE-SU-2023:0309-1)
  • 754071 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754072 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305-2)
  • 754079 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754080 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754084 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 754085 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754086 SUSE Enterprise Linux Security Update for Open Secure Sockets Layer (OpenSSL)-1_0_0 (SUSE-SU-2023:0305)
  • 754087 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 754088 SUSE Enterprise Linux Security Update for openssl-1_0_0 (SUSE-SU-2023:0305)
  • 905439 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13301)
  • 905441 Common Base Linux Mariner (CBL-Mariner) Security Update for shim-unsigned-x64 (13315)
  • 905445 Common Base Linux Mariner (CBL-Mariner) Security Update for shim-unsigned-aarch64 (13314)
  • 905446 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13312)
  • 905447 Common Base Linux Mariner (CBL-Mariner) Security Update for shim-unsigned-x64 (13336)
  • 905452 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13325)
  • 905454 Common Base Linux Mariner (CBL-Mariner) Security Update for shim-unsigned-aarch64 (13335)
  • 905457 Common Base Linux Mariner (CBL-Mariner) Security Update for rust (13333)
  • 905460 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13317)
  • 905464 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13352)
  • 905481 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13325-1)
  • 905503 Common Base Linux Mariner (CBL-Mariner) Security Update for Open Secure Sockets Layer (OpenSSL) (13352-1)
  • 906766 Common Base Linux Mariner (CBL-Mariner) Security Update for cloud-hypervisor (13301-1)
  • 940941 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2023:0946)
  • 940962 AlmaLinux Security Update for Open Secure Sockets Layer (OpenSSL) (ALSA-2023:1405)
  • 941044 AlmaLinux Security Update for edk2 (ALSA-2023:2165)
  • 941103 AlmaLinux Security Update for edk2 (ALSA-2023:2932)
  • 960886 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2023:1405)
  • 960889 Rocky Linux Security Update for Open Secure Sockets Layer (OpenSSL) (RLSA-2023:0946)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report