CVE-2009-0127

M2Crypto does not properly check the return value from the OpenSSL EVP_VerifyFinal, DSA_verify, ECDSA_verify, DSA_do_verify, and ECDSA_do_verify functions, which might allow remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077.  NOTE: a Linux vendor disputes the relevance of this report to the M2Crypto product because "these functions are not used anywhere in m2crypto.
Severity
UNKNOWN
AV:N/AC:L/Au:N/C:P/I:N/A:N
Atk. Vector
NETWORK
Atk. Complexity
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
heikkitoivonenm2crypto
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
m2crypto
bullseye
vulnerable
bookworm
vulnerable
trixie
vulnerable
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
m2crypto
karmic
ignored
jaunty
ignored
intrepid
ignored
hardy
ignored
gutsy
ignored
dapper
ignored