CVE-2025-9232
Description
Issue summary: An application using the OpenSSL HTTP client API functions maytrigger an out-of-bounds read if the no_proxy environment variable is set andthe host portion of the authority component of the HTTP URL is an IPv6 address.Impact summary: An out-of-bounds read can trigger a crash which leads toDenial of Service for an application.The OpenSSL HTTP client API functions can be used directly by applicationsbut they are also used by the OCSP client functions and CMP (CertificateManagement Protocol) client implementation in OpenSSL. However the URLs usedby these implementations are unlikely to be controlled by an attacker.In this vulnerable code the out of bounds read can only trigger a crash.Furthermore the vulnerability requires an attacker-controlled URL to bepassed from an application to the OpenSSL function and the user has to havea no_proxy environment variable set. For the aforementioned reasons theissue was assessed as Low severity.The vulnerable code was introduced in the following patch releases:3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by thisissue, as the HTTP client implementation is outside the OpenSSL FIPS moduleboundary.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (64-bit) 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (64-bit) 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (64-bit) 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (64-bit) 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL (64-bit) 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x86) 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x86) 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x86) 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x86) 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL (MSI)(x86) 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x64) 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x64) 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x64) 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (MSI)(x64) 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL (MSI)(x64) 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL Light 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (x64) 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (x64) 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (x64) 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (x64) 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL Light (x64) 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (3.5.4) | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL (x64) (3.5.4) | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (3.5.4) | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Light (x64) (3.5.4) | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL Library 3.0.18 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library x86 3.5.4 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library x86 3.4.3 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library x86 3.3.5 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9231,CVE-2025-9232 are fixed in OpenSSL Library x86 3.2.6 | Windows |
| Vulnerabilities CVE-2025-9230,CVE-2025-9232 are fixed in OpenSSL Library x86 3.0.18 | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-352260 | OpenSSL (x64) (3.6.0) |
| PATCH-352260 | OpenSSL (x64) (3.6.0) |
| PATCH-352260 | OpenSSL (x64) (3.6.0) |
| PATCH-352260 | OpenSSL (x64) (3.6.0) |
| PATCH-352260 | OpenSSL (x64) (3.6.0) |
| PATCH-352259 | OpenSSL (3.6.0) |
| PATCH-352259 | OpenSSL (3.6.0) |
| PATCH-352259 | OpenSSL (3.6.0) |
| PATCH-352259 | OpenSSL (3.6.0) |
| PATCH-352259 | OpenSSL (3.6.0) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
| PATCH-355449 | OpenSSL (3.6.1) |
| PATCH-355450 | OpenSSL (x64) (3.6.1) |
| PATCH-355451 | OpenSSL Light (3.6.1) |
| PATCH-355452 | OpenSSL Light (x64) (3.6.1) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234