What is CVE-2023-2650?

CVE-2023-2650 is a vulnerability in Openssl. Published 2023-05-30.

Is CVE-2023-2650 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Openssl

CVE-2023-2650

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS…

EPSS: 0.918 (99.7th percentile) — read the EPSS interpretation.

Affected products

Openssl — versions 3.1.1, 3.0.0, 1.1.1

Public proof-of-concept exploits

References

OpenSSL Advisory (vendor-advisory)
3.1.1 git commit (patch)
3.0.9 git commit (patch)
1.1.1u git commit (patch)
1.0.2zh patch (premium) (patch)
www.openwall.com/lists/oss-security/2023/05/30/1
www.debian.org/security/2023/dsa-5417
lists.debian.org/debian-lts-announce/2023/06/msg00011.html
psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0009
security.netapp.com/advisory/ntap-20230703-0001/

Frequently asked questions

What is CVE-2023-2650?: CVE-2023-2650 is a vulnerability in Openssl. Published 2023-05-30.
Is CVE-2023-2650 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.