CVE-2023-6237
Excessive time spent checking invalid RSA public keysIssue summary: Checking excessively long invalid RSA public keys may take a long time. Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the '-pubin' and '-check' options on untrusted data. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are affected by this issue.
We have discovered 33,094 live websites that are affected by CVE-2023-6237.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Domains | 33,094 live websites (4.94% of OpenSSL install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 15 versions ( 37.50% of all versions) |
Common Weakness Enumeration
CWE-606 Unchecked Input for Loop ConditionDetails
- Published - Apr 25, 2024
- Updated - Nov 1, 2024
Credits
- OSS-Fuzz (finder)
- Tomas Mraz (remediation developer)
CWE
CVE References
CWE References
CVE-2023-6237 usage by Country
 United States | 13,764 websites |
 France | 2,590 websites |
 Switzerland | 2,266 websites |
 Germany | 1,831 websites |
 GB | 1,508 websites |
 Japan | 1,483 websites |
 Canada | 922 websites |
 Netherlands | 734 websites |
 Finland | 721 websites |
 Italy | 556 websites |
CVE-2023-6237 usage by TLD
| .com | 13,047 websites |
| .ch | 2,220 websites |
| .org | 1,484 websites |
| .net | 1,413 websites |
| .co.uk | 1,010 websites |
| .jp | 946 websites |
| .edu | 872 websites |
| .ca | 771 websites |
| .de | 686 websites |
| .fr | 646 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2023-6237
Top websites that are affected by CVE-2023-6237. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.com | United States | *,*** | |
| ***.***********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| ******.***************.com | United States | *,*** | |
| ****************.ch | Switzerland | *,*** | |
| ****************.com | United States | **,*** | |
| **.***.au |  Australia | **,*** | |
| ***.edu | United States | **,*** | |
| *********.ch | United States | **,*** | |
| *******.com | United States | **,*** |
FAQ
CVE-2023-6237 is Unchecked Input for Loop Condition in OpenSSL
A total of 33,094 websites have been identified as vulnerable to CVE-2023-6237, discovered through global website indexing conducted by WebTechSurvey.
OpenSSL is susceptible to CVE-2023-6237 vulnerability.
OpenSSL versions before 3.2.1 are vulnerable to CVE-2023-6237.
Version 3.2.1 of OpenSSL addresses the CVE-2023-6237 security vulnerability.