Описание
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
Ссылки
- Mailing List
- Mailing List
- Mailing List
- PatchVendor Advisory
- Third Party AdvisoryVDB Entry
- Broken Link
- Broken Link
- Broken Link
- Mailing List
- Mailing List
- Mailing List
- PatchVendor Advisory
- Third Party AdvisoryVDB Entry
- Broken Link
- Broken Link
- Broken Link
Уязвимые конфигурации
Одно из
Одновременно
Одно из
EPSS
6.8 Medium
CVSS2
Дефекты
Связанные уязвимости
The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.
EPSS
6.8 Medium
CVSS2