search

vipinsun / TrustID

Decentralized Identity solution compatible with different Hyperledger platforms.
https://wiki.hyperledger.org/display/fabric
Apache License 2.0
0 stars 0 forks source link

CVE-2021-23840 (High) detected in opensslf960d81215ebf3f65e03d4d5d857fb9b666d6920 #32

Open mend-bolt-for-github[bot] opened 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2021-23840 - High Severity Vulnerability

Vulnerable Library - opensslf960d81215ebf3f65e03d4d5d857fb9b666d6920

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in HEAD commit: 1c9178c5a1b42520307da1fa7f9b1899276178ed

Found in base branch: master

Vulnerable Source Files (2)

/trustid-sdk/node_modules/node/node_modules/node-darwin-x64/include/node/openssl/evperr.h /trustid-sdk/node_modules/node/node_modules/node-darwin-x64/include/node/openssl/evperr.h

Vulnerability Details

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).

Publish Date: 2021-02-16

URL: CVE-2021-23840

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23840

Release Date: 2021-02-16

Fix Resolution: OpenSSL_1_1_1j; openssl-src -111.14.0+1.1.1j

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 11 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 8 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.