Vulnerability Description
LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openbsd | Libressl | 2.5.1 |
Related Weaknesses (CWE)
References
- http://seclists.org/oss-sec/2017/q2/145Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/98076Third Party AdvisoryVDB Entry
- https://github.com/libressl-portable/portable/issues/307Issue TrackingPatchThird Party Advisory
- https://trac.nginx.org/nginx/ticket/1257Issue TrackingPatchThird Party Advisory
- http://seclists.org/oss-sec/2017/q2/145Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/98076Third Party AdvisoryVDB Entry
- https://github.com/libressl-portable/portable/issues/307Issue TrackingPatchThird Party Advisory
- https://trac.nginx.org/nginx/ticket/1257Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2017-8301?
CVE-2017-8301 is a vulnerability with a CVSS score of 5.3 (MEDIUM). LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback...
How severe is CVE-2017-8301?
CVE-2017-8301 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-8301?
Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Libressl.