CVE-2023-0465: 
Node.js vulnerability analysis and mitigation

OpenSSL reported a vulnerability (CVE-2023-0465) where invalid certificate policies in leaf certificates are silently ignored. The vulnerability was discovered on January 12, 2023, and publicly disclosed on March 28, 2023. This vulnerability affects OpenSSL versions 3.1, 3.0, 1.1.1, and 1.0.2 when using non-default certificate verification options (OpenSSL Advisory).

The vulnerability occurs when applications use non-default options for certificate verification. When invalid certificate policies are present in leaf certificates, OpenSSL silently ignores them and skips other certificate policy checks for that certificate. Policy processing is disabled by default but can be enabled by passing the -policy argument to command line utilities or by calling the X509_VERIFY_PARAM_set1_policies() function. The vulnerability has been assigned a CVSS score of 5.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD, NetApp Advisory).

A malicious Certificate Authority (CA) could exploit this vulnerability to deliberately assert invalid certificate policies, effectively circumventing policy checking on the certificate altogether. This could lead to the addition or modification of data in affected systems (OpenSSL Advisory, Debian Advisory).

Due to the low severity of this issue, OpenSSL did not immediately issue new releases. The fix was included in subsequent releases and is available in commits facfb1ab (for 3.1), 1dd43e07 (for 3.0), b013765a (for 1.1.1), and 10325176 (for 1.0.2) in the OpenSSL git repository. Various distributions have released patches, including Debian (version 1.1.1n-0+deb11u5) and Red Hat (OpenSSL Advisory, Debian Advisory).