CVE-2015-1793
Public on 2015-07-09
Modified on 2015-07-09
Description
A flaw was found in the way OpenSSL verified alternative certificate chains. An attacker able to supply a certificate chain to an SSL/TLS or DTLS client or an SSL/TLS or DTLS server using client authentication could use this flaw to bypass certain checks in the verification process, possibly allowing them to use one of the certificates in the supplied certificate chain as a CA certificate to generate an invalid certificate.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | openssl | 2015-07-09 | ALAS-2015-564 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv2 | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| NVD | CVSSv3 | 6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv2 | 6.4 | AV:N/AC:L/Au:N/C:P/I:P/A:N |