Uncontrolled Resource Consumption Affecting openssl package, versions >=0.0.0


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Uncontrolled Resource Consumption vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-OPENSSL-6913424
  • published19 May 2024
  • disclosed16 May 2024
  • creditUnknown

Introduced: 16 May 2024

CVE-2024-4603  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

openssl is a package that wraps the OpenSSL library.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption due to improper user input validation in the EVP_PKEY_param_check or EVP_PKEY_public_check functions. An attacker can cause a denial of service by supplying excessively long DSA keys or parameters obtained from an untrusted source.

Note:

OpenSSL does not call these functions on untrusted DSA keys, so only applications that directly call these functions may be vulnerable.

Also vulnerable are the OpenSSL pkey and pkeyparam command line applications when using the "-check" option.

CVSS Scores

version 3.1