Vulnerability Description
The error checking routine used for the C_Verify call on a symmetric verification key in the nCipher PKCS#11 library 1.2.0 and later returns the CKR_OK status even when it detects an invalid signature, which could allow remote attackers to modify or forge messages.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ncipher | Pkcs 11 Library | 1.2.0 |
References
- http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html
- http://www.iss.net/security_center/static/9895.php
- http://www.ncipher.com/support/advisories/advisory5_c_verify.htmlPatch
- http://www.securityfocus.com/bid/5498
- http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html
- http://www.iss.net/security_center/static/9895.php
- http://www.ncipher.com/support/advisories/advisory5_c_verify.htmlPatch
- http://www.securityfocus.com/bid/5498
FAQ
What is CVE-2002-1446?
CVE-2002-1446 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The error checking routine used for the C_Verify call on a symmetric verification key in the nCipher PKCS#11 library 1.2.0 and later returns the CKR_OK status even when it detects an invalid signature...
How severe is CVE-2002-1446?
CVE-2002-1446 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2002-1446?
Check the references section above for vendor advisories and patch information. Affected products include: Ncipher Pkcs 11 Library.