{"containers": {"cna": {"providerMetadata": {"dateUpdated": "2022-07-29T09:35:09", "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl"}, "rejectedReasons": [{"lang": "en", "value": "DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. OpenSSL does not class this issue as a security vulnerability. The trusted CA store should not contain anything that the user does not trust to issue other certificates. Notes: https://github.com/openssl/openssl/issues/5236#issuecomment-119646061"}]}}, "cveMetadata": {"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "assignerShortName": "openssl", "cveId": "CVE-2021-3601", "datePublished": "2022-07-29T09:35:09", "dateRejected": "2022-07-29T09:35:09", "dateReserved": "2021-06-14T00:00:00", "dateUpdated": "2022-07-29T09:35:09", "state": "REJECTED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. OpenSSL does not class this issue as a security vulnerability. The trusted CA store should not contain anything that the user does not trust to issue other certificates. Notes: https://github.com/openssl/openssl/issues/5236#issuecomment-119646061"}], "id": "CVE-2021-3601", "lastModified": "2023-11-07T03:38:08.903", "metrics": {}, "published": "2022-07-29T10:15:12.297", "references": [], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Rejected"}

{"acknowledgement": "Red Hat would like to thank Hubert Kario for reporting this issue.", "bugzilla": {"description": "openssl: Certificate with CA:FALSE is accepted as valid CA cert", "id": "1970201", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1970201"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-295", "details": ["A flaw was found in the way OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. This flaw allows an attacker with access to a private key, of which the corresponding certificate is in the trust bundle, to use this flaw for MITM to any connection from the victim machine."], "mitigation": {"lang": "en:us", "value": "Red Hat recommends not to include self-signed server certificates in system trust bundle, even with CA:FALSE, as they are considered full-fledged Certificate Authorities."}, "name": "CVE-2021-3601", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-06-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3601\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3601"], "statement": "It was found that OpenSSL will accept a certificate with explicitly set Basic Constraints to CA:FALSE as a valid CA if it is present in the trusted bundle. The exploitability of this bug is limited; the attacker needs to get access to a private key of which the corresponding certificate is in the trust bundle. The attacker is able to leverage this certificate to MITM any connection from the victim machine, not just ones to the specific server that uses the self-signed certificate.", "threat_severity": "Low"}