CVE: CVE-2002-0862

Export to Word

The (1) CertGetCertificateChain, (2) CertVerifyCertificateChainPolicy, and (3) WinVerifyTrust APIs within the CryptoAPI for Microsoft products including Microsoft Windows 98 through XP, Office for Mac, Internet Explorer for Mac, and Outlook Express for Mac, do not properly verify the Basic Constraints of intermediate CA-signed X.509 certificates, which allows remote attackers to spoof the certificates of trusted sites via a man-in-the-middle attack for SSL sessions, as originally reported for Internet Explorer and IIS.

Threat-Mapped Scoring

Score: 0.0

Priority: Unclassified

EPSS

Score: 0.20154
Percentile: 0.95232

CVSS Scoring

CVSS v2 Score: 6.8

Severity:

Mapped CWE(s)

CWE-295 : Improper Certificate Validation

All CAPEC(s)

CAPEC-459: Creating a Rogue Certification Authority Certificate
CAPEC-475: Signature Spoofing by Improper Validation

CAPEC(s) with Mapped TTPs

Mapped ATT&CK TTPs

Affected Products

cpe:2.3:o:microsoft:windows_2000:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_98:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_98se:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_me:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_nt:4.0:-:*:*:-:*:*:*
cpe:2.3:o:microsoft:windows_nt:4.0:-:*:*:terminal_server:*:*:*
cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:-:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:outlook_express:-:*:*:*:*:*:*:*

← Back to Home