CVE-2022-1343

EPSS 0.13%
Published 03.05.2022 16:15:18
Last modified 05.05.2025 17:17:34
Source openssl-security@openssl.org
Teams watchlist Login
Open Login

The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response. In the case where the (non-default) flag OCSP_NOCHECKS is used then the response will be positive (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of `OCSP_basic_verify` will not use the OCSP_NOCHECKS flag. In this case the `OCSP_basic_verify` function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2).

Affected products Warnungen 0 Metrics 4 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 3.0.0 < 3.0.3

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvsphere

Netapp ≫ Clustered Data Ontap Version-

Netapp ≫ Clustered Data Ontap Antivirus Connector Version-

Netapp ≫ Santricity Smi-s Provider Version-

Netapp ≫ Smi-s Provider Version-

Netapp ≫ Snapmanager Version- SwPlatformhyper-v

Netapp ≫ A250 Firmware Version-

Netapp ≫ A250 Version-

Netapp ≫ A700s Firmware Version-

Netapp ≫ A700s Version-

Netapp ≫ Aff 500f Firmware Version-

Netapp ≫ Aff 500f Version-

Netapp ≫ Aff 8300 Firmware Version-

Netapp ≫ Aff 8300 Version-

Netapp ≫ Aff 8700 Firmware Version-

Netapp ≫ Aff 8700 Version-

Netapp ≫ Aff A400 Firmware Version-

Netapp ≫ Aff A400 Version-

Netapp ≫ Fabric-attached Storage A400 Firmware Version-

Netapp ≫ Fabric-attached Storage A400 Version-

Netapp ≫ Fas 500f Firmware Version-

Netapp ≫ Fas 500f Version-

Netapp ≫ Fas 8300 Firmware Version-

Netapp ≫ Fas 8300 Version-

Netapp ≫ Fas 8700 Firmware Version-

Netapp ≫ Fas 8700 Version-

Netapp ≫ H300e Firmware Version-

Netapp ≫ H300e Version-

Netapp ≫ H300s Firmware Version-

Netapp ≫ H300s Version-

Netapp ≫ H410s Firmware Version-

Netapp ≫ H410s Version-

Netapp ≫ H500e Firmware Version-

Netapp ≫ H500e Version-

Netapp ≫ H500s Firmware Version-

Netapp ≫ H500s Version-

Netapp ≫ H700e Firmware Version-

Netapp ≫ H700e Version-

Netapp ≫ H700s Firmware Version-

Netapp ≫ H700s Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.331

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf

https://security.netapp.com/advisory/ntap-20220602-0009/

Third Party Advisory

https://www.openssl.org/news/secadv/20220503.txt

Vendor Advisory

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2eda98790c5c2741d76d23cc1e74b0dc4f4b391a

https://nvd.nist.gov/vuln/detail/CVE-2022-1343

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-1343

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-1343

EUVD