Описание
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
A flaw was found in Go's crypto/x509 package. This vulnerability allows improper certificate validation, bypassing policy constraints via using ExtKeyUsageAny in VerifyOptions.KeyUsages.
Отчет
This flaw is rated as an Important severity because the vulnerability was found in the certificate validation logic of the Verify function. When VerifyOptions.KeyUsages includes ExtKeyUsageAny, certificate chains containing policy graphs may bypass certificate policy validation. This flaw allows an attacker to trick the system into accepting an invalid certificate, potentially enabling spoofing attacks, the issue weakens trust decisions in affected cases and impacts system integrity. Confidentiality and availability are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-agent-rhel9 | Affected | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-controller-rhel9 | Affected | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-rhel9 | Affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-controller-rhel9 | Will not fix | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-git-cloner-rhel9 | Will not fix | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-bundler-rhel9 | Will not fix | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-image-processing-rhel9 | Will not fix | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-rhel9-operator | Affected | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-rhel9 | Will not fix | ||
| Builds for Red Hat OpenShift | openshift-builds/openshift-builds-shared-resource-webhook-rhel9 | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Usage of ExtKeyUsageAny disables policy validation in crypto/x509
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsag ...
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
EPSS
7.5 High
CVSS3