CVE-2023-5363

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Oct 25, 2023
Updated: Feb 1, 2024

Summary

CVE-2023-5363 is a vulnerability affecting OpenSSL's EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2(), and EVP_CipherInit_ex2() functions in versions 3.0 and 3.1. The issue lies in the processing of key and initialization vector (IV) lengths, which can result in truncation or overruns during the initialization of some symmetric ciphers. This may lead to non-uniqueness and potential loss of confidentiality for cipher modes such as CCM, GCM, and OCB. The vulnerability is considered moderate severity, with a low probability of occurrence due to the uncommon nature of key and IV length changes and the recent introduction of the vulnerable API. However, the consequences of exploitation are serious as it can cause incorrect results and, in some cases, trigger a memory exception. The OpenSSL SSL/TLS implementation and FIPS providers are not affected.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • OpenSSL
  • Openssl Project Openssl
  • Debian

Affected Vendors

  • The OpenSSL Project
  • Debian