CVE-2024-27355 - Vulnerability Details - OpenCVE

An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Phpseclib	Phpseclib

Configuration 1 [-]

OR	cpe:2.3:a:phpseclib:phpseclib::::::::
	cpe:2.3:a:phpseclib:phpseclib::::::::
	cpe:2.3:a:phpseclib:phpseclib::::::::

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b
https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129
https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html
https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html

History

Mon, 15 Sep 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Debian Debian debian Linux
CPEs		cpe:2.3:a:phpseclib:phpseclib:::::::: cpe:2.3:o:debian:debian_linux:10.0:::::::*
Vendors & Products		Debian Debian debian Linux

Tue, 13 Aug 2024 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-03-01T00:00:00

Updated: 2024-08-13T13:38:16.577Z

Reserved: 2024-02-25T00:00:00

Link: CVE-2024-27355

Vulnrichment

Updated: 2024-08-02T00:34:51.670Z

NVD

Status : Analyzed

Published: 2024-03-01T23:15:08.553

Modified: 2025-09-15T17:17:49.997

Link: CVE-2024-27355

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-27355", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-13T13:38:16.577Z", "dateReserved": "2024-02-25T00:00:00", "datePublished": "2024-03-01T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-05T15:06:02.520276"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129"}, {"url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b"}, {"name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3749-1] phpseclib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html"}, {"name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3750-1] php-phpseclib security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:51.670Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3749-1] phpseclib security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html"}, {"name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3750-1] php-phpseclib security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "affected": [{"vendor": "phpseclib", "product": "phpseclib", "cpes": ["cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0", "status": "affected", "lessThan": "1.0.23", "versionType": "custom"}, {"version": "2.0", "status": "affected", "lessThan": "2.0.47", "versionType": "custom"}, {"version": "3.0", "status": "affected", "lessThan": "3.0.36", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T14:10:07.399957Z", "id": "CVE-2024-27355", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T13:38:16.577Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129", "tags": ["x_transferred"]}, {"url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html", "name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3749-1] phpseclib security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html", "name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3750-1] php-phpseclib security update", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:51.670Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-27355", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-09T14:10:07.399957Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*"], "vendor": "phpseclib", "product": "phpseclib", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.0.23", "versionType": "custom"}, {"status": "affected", "version": "2.0", "lessThan": "2.0.47", "versionType": "custom"}, {"status": "affected", "version": "3.0", "lessThan": "3.0.36", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-13T13:38:07.529Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129"}, {"url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html", "name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3749-1] phpseclib security update", "tags": ["mailing-list"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html", "name": "[debian-lts-announce] 20240305 [SECURITY] [DLA 3750-1] php-phpseclib security update", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-03-05T15:06:02.520276"}}}, "cveMetadata": {"cveId": "CVE-2024-27355", "state": "PUBLISHED", "dateUpdated": "2024-08-13T13:38:16.577Z", "dateReserved": "2024-02-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-01T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*", "matchCriteriaId": "A566C1D0-4B65-4023-80A8-923CC0B656E5", "versionEndExcluding": "1.0.23", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4B6DD8F-121D-40A5-BB9B-D76F01042563", "versionEndExcluding": "2.0.47", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:phpseclib:phpseclib:*:*:*:*:*:*:*:*", "matchCriteriaId": "96D4B508-CF51-4C6A-8FF3-F09A7117E613", "versionEndExcluding": "3.0.36", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in phpseclib 1.x before 1.0.23, 2.x before 2.0.47, and 3.x before 3.0.36. When processing the ASN.1 object identifier of a certificate, a sub identifier may be provided that leads to a denial of service (CPU consumption for decodeOID)."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en phpseclib 1.x anterior a 1.0.23, 2.x anterior a 2.0.47 y 3.x anterior a 3.0.36. Al procesar el identificador de objeto ASN.1 de un certificado, se puede proporcionar un subidentificador que conduzca a una denegaci\u00f3n de servicio (consumo de CPU para decodeOID)."}], "id": "CVE-2024-27355", "lastModified": "2025-09-15T17:17:49.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-01T23:15:08.553", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/katzj/ee72f3c2a00590812b2ea3c0c8890e0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/phpseclib/phpseclib/blob/978d081fe50ff92879c50ff143c62a143edb0117/phpseclib/File/ASN1.php#L1129"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00002.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00003.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}