Vulnerability DatabaseCVE-2023-0466

CVE-2023-0466:
Node.js vulnerability analysis and mitigation

Overview

CVE-2023-0466 affects OpenSSL versions 3.1, 3.0, 1.1.1, and 1.0.2. The vulnerability relates to the X509VERIFYPARAMadd0policy() function, which was documented to enable certificate policy checking during certificate verification, but the implementation does not actually enable this check. This allows certificates with invalid or incorrect policies to pass the certificate verification process (OpenSSL Advisory).

Technical details

The vulnerability stems from a discrepancy between documentation and implementation in the X509VERIFYPARAMadd0policy() function. While the function was documented to implicitly enable certificate policy checking during verification, the actual implementation does not enable this check. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications (OpenSSL Advisory).

Impact

The impact of this vulnerability is considered Low severity with a CVSS score of 5.3 (Medium). The vulnerability could potentially allow certificates with invalid or incorrect policies to pass the certificate verification process. However, since certificate policy checks are disabled by default and not commonly used by applications, the real-world impact is limited (Ubuntu Security).

Mitigation and workarounds

Applications requiring OpenSSL to perform certificate policy checks should use X509VERIFYPARAMset1policies() or explicitly enable the policy check by calling X509VERIFYPARAMsetflags() with the X509VFLAGPOLICYCHECK flag argument. Due to the low severity of this issue, OpenSSL maintained the existing behavior of X509VERIFYPARAMadd0policy() to avoid breaking existing deployments (OpenSSL Advisory).

Additional resources

Source: This report was generated using AI

5.3

Score

Published March 28, 2023

Severity MEDIUM

CNA Score 5.3

Affected Technologies

Node.js
OpenSSL

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 70.2

Exploitation Probability (EPSS) 0.7

Affected packages and libraries

openssl-debugsource
openssl-devel

Sources

AlmaLinux Security Advisory
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jun 27, 2023
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14 Severity MEDIUMNo FixAdded at: Dec 03, 2023
- Alpine 3.17 Severity MEDIUMHas FixAdded at: Apr 02, 2023
- Alpine 3.18 Severity MEDIUMHas FixAdded at: May 11, 2023
- Alpine 3.19 Severity MEDIUMHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity MEDIUMHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity MEDIUMHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity MEDIUMHas FixAdded at: Jun 01, 2025
- Alpine edge Severity MEDIUMHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity MEDIUMHas FixAdded at: Jun 10, 2023
Container-Optimized OS Release Notes
- Container-Optimized OS Severity MEDIUMHas FixAdded at: Apr 19, 2023
Debian Security Tracker
- Debian 10, 11, 12 Severity MEDIUMHas FixAdded at: Apr 02, 2023
- Debian 13 Severity MEDIUMHas FixAdded at: Jun 11, 2023
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Feb 04, 2024
Nix
- Nix Severity MEDIUMHas FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 3.0, 4.0, 5.0 Severity MEDIUMHas FixAdded at: Jul 04, 2023
Red Hat Errata
- Red Hat 6, 7, 8 Severity MEDIUMNo FixAdded at: Apr 02, 2023
- Red Hat 9 Severity MEDIUMHas FixAdded at: Apr 02, 2023
Ubuntu Security Tracker
- Ubuntu 14.04, 16.04, 18.04, 20.04, 22.04, 22.10 Severity LOWHas FixAdded at: Apr 05, 2023
- Ubuntu 23.04 Severity LOWHas FixAdded at: May 14, 2023
- Ubuntu 23.10 Severity LOWHas FixAdded at: Oct 31, 2023
- Ubuntu 24.04 Severity LOWHas FixAdded at: May 06, 2024
- Ubuntu 24.10 Severity LOWHas FixAdded at: Dec 10, 2024
- Ubuntu 25.04 Severity LOWHas FixAdded at: May 08, 2025
NVD
- Linux Severity MEDIUMHas FixAdded at: Jul 07, 2024
- Windows Severity MEDIUMHas FixAdded at: Apr 09, 2023