HOMEVULNERABILITIESCVE-2023-5363
HIGH

CVE-2023-5363

CWE-684Published: October 25, 2023· Updated: Jun 17, 2026

7.5
CVSS v3.1

Official Description

Issue summary: A bug has been identified in the processing of key and

initialisation vector (IV) lengths. This can lead to potential truncation

or overruns during the initialisation of some symmetric ciphers.

Impact summary: A truncation in the IV can result in non-uniqueness,

which could result in loss of confidentiality for some cipher modes.

When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or

EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after

the key and IV have been established. Any alterations to the key length,

via the "keylen" parameter or the IV length, via the "ivlen" parameter,

within the OSSL_PARAM array will not take effect as intended, potentially

causing truncation or overreading of these values. The following ciphers

and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB.

For the CCM, GCM and OCB cipher modes, truncation of the IV can result in

loss of confidentiality. For example, when following NIST's SP 800-38D

section 8.2.1 guidance for constructing a deterministic IV for AES in

GCM mode, truncation of the counter portion could lead to IV reuse.

Both truncations and overruns of the key and overruns of the IV will

produce incorrect results and could, in some cases, trigger a memory

exception. However, these issues are not currently assessed as security

critical.

Changing the key and/or IV lengths is not considered to be a common operation

and the vulnerable API was recently introduced. Furthermore it is likely that

application developers will have spotted this problem during testing since

decryption would fail unless both peers in the communication were similarly

vulnerable. For these reasons we expect the probability of an application being

vulnerable to this to be quite low. However if an application is vulnerable then

this issue is considered very serious. For these reasons we have assessed this

issue as Moderate severity overall.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because

the issue lies outside of the FIPS provider boundary.

OpenSSL 3.1 and 3.0 are vulnerable to this issue.

NVD Source

Technical Analysis

CVE-2023-5363 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityNone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Vendors & Products

Debian1 product(s)
debian linux
netapp10 product(s)
h300s firmwareh300sh410s firmwareh410sh500s firmwareh500sh700s firmwareh700sh410c firmwareh410c
OpenSSL1 product(s)
openssl
Source: NVD CPE · 12 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (17)

Quick Facts

CVE IDCVE-2023-5363
CVSS Score7.5 / 10
SeverityHIGH
WeaknessCWE-684
CISA KEVNo
Affected3 vendor(s)
PublishedOct 25, 2023

Related CVEs (CWE-684)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2023-5363 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.