CVE-2023-0466
Certificate policy check not enabledThe function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
We have discovered 26,461 live websites that are affected by CVE-2023-0466.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Domains | 26,461 live websites (3.95% of OpenSSL install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 9 versions ( 22.50% of all versions) |
Details
- Published - Mar 28, 2023
- Updated - Feb 19, 2025
Credits
- David Benjamin (Google) (reporter)
- Tomas Mraz (remediation developer)
CVE References
CVE-2023-0466 usage by Country
 United States | 12,695 websites |
 France | 2,385 websites |
 Germany | 1,547 websites |
 Japan | 1,443 websites |
 GB | 891 websites |
 Canada | 880 websites |
 Finland | 691 websites |
 Netherlands | 637 websites |
 Italy | 442 websites |
 Hungary | 406 websites |
CVE-2023-0466 usage by TLD
| .com | 11,579 websites |
| .org | 1,244 websites |
| .net | 1,159 websites |
| .jp | 939 websites |
| .edu | 829 websites |
| .ca | 741 websites |
| .co.uk | 720 websites |
| .nl | 558 websites |
| .fi | 550 websites |
| .fr | 545 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-0466
Top websites that are affected by CVE-2023-0466. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | *,*** | |
| ***.***********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| ******.***************.com | United States | *,*** | |
| ****************.com | United States | **,*** | |
| **.***.au |  Australia | **,*** | |
| ***.edu | United States | **,*** | |
| *********.ch | United States | **,*** | |
| ******.org |  Singapore | **,*** | |
| ********.org | France | **,*** |
FAQ
A total of 26,461 websites have been identified as vulnerable to CVE-2023-0466, discovered through global website indexing conducted by WebTechSurvey.
OpenSSL is susceptible to CVE-2023-0466 vulnerability.
OpenSSL versions before 3.1.1 are vulnerable to CVE-2023-0466.
Version 3.1.1 of OpenSSL addresses the CVE-2023-0466 security vulnerability.
References
- https://www.openssl.org/news/secadv/20230328.txt
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72
- https://security.netapp.com/advisory/ntap-20230414-0001/
- https://www.debian.org/security/2023/dsa-5417
- https://lists.debian.org/debian-lts-announce/2023/06/msg00011.html
- http://www.openwall.com/lists/oss-security/2023/09/28/4
- https://security.gentoo.org/glsa/202402-08