Vulnerability Description
The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a signature that originally appeared to be valid but was actually invalid.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | 0.9.8h |
Related Weaknesses (CWE)
References
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
- http://marc.info/?l=bugtraq&m=124464882609472&w=2
- http://marc.info/?l=bugtraq&m=127678688104458&w=2
- http://secunia.com/advisories/34411Vendor Advisory
- http://secunia.com/advisories/34460Vendor Advisory
- http://secunia.com/advisories/34666
- http://secunia.com/advisories/35065
- http://secunia.com/advisories/35380
- http://secunia.com/advisories/35729
- http://secunia.com/advisories/36701
- http://secunia.com/advisories/42724
- http://secunia.com/advisories/42733
- http://securitytracker.com/id?1021907
FAQ
What is CVE-2009-0591?
CVE-2009-0591 is a vulnerability with a CVSS score of 2.6 (LOW). The CMS_verify function in OpenSSL 0.9.8h through 0.9.8j, when CMS is enabled, does not properly handle errors associated with malformed signed attributes, which allows remote attackers to repudiate a...
How severe is CVE-2009-0591?
CVE-2009-0591 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0591?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl.