{"id":"RUSTSEC-2021-0058","summary":"Null pointer deref in `X509_issuer_and_serial_hash()`","details":"The OpenSSL public API function `X509_issuer_and_serial_hash()` attempts to\ncreate a unique hash value based on the issuer and serial number data contained\nwithin an X509 certificate. However it fails to correctly handle any errors\nthat may occur while parsing the issuer field (which might occur if the issuer\nfield is maliciously constructed). This may subsequently result in a NULL\npointer deref and a crash leading to a potential denial of service attack.\n\nThe function `X509_issuer_and_serial_hash()` is never directly called by OpenSSL\nitself so applications are only vulnerable if they use this function directly\nand they use it on certificates that may have been obtained from untrusted\nsources.","aliases":["CVE-2021-23841","GHSA-84rm-qf37-fgc2"],"modified":"2023-11-08T04:05:13.735348Z","published":"2021-05-01T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/openssl-src"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0058.html"},{"type":"WEB","url":"https://www.openssl.org/news/secadv/20210216.txt"}],"affected":[{"package":{"name":"openssl-src","ecosystem":"crates.io","purl":"pkg:cargo/openssl-src"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"111.14.0"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"cvss":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","categories":["denial-of-service"],"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0058.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}