{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-14T12:32:35.498","vulnerabilities":[{"cve":{"id":"CVE-2025-4575","sourceIdentifier":"openssl-security@openssl.org","published":"2025-05-22T14:16:07.630","lastModified":"2025-10-23T14:51:30.377","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Issue summary: Use of -addreject option with the openssl x509 application adds\na trusted use instead of a rejected use for a certificate.\n\nImpact summary: If a user intends to make a trusted certificate rejected for\na particular use it will be instead marked as trusted for that use.\n\nA copy & paste error during minor refactoring of the code introduced this\nissue in the OpenSSL 3.5 version. If, for example, a trusted CA certificate\nshould be trusted only for the purpose of authenticating TLS servers but not\nfor CMS signature verification and the CMS signature verification is intended\nto be marked as rejected with the -addreject option, the resulting CA\ncertificate will be trusted for CMS signature verification purpose instead.\n\nOnly users which use the trusted certificate format who use the openssl x509\ncommand line application to add rejected uses are affected by this issue.\nThe issues affecting only the command line application are considered to\nbe Low severity.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue.\n\nOpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are also not affected by this\nissue."},{"lang":"es","value":"Resumen del problema: El uso de la opción -addreject con la aplicación openssl x509 añade un uso confiable en lugar de uno rechazado para un certificado. Resumen del impacto: Si un usuario intenta rechazar un certificado confiable para un uso específico, se marcará como confiable para ese uso. Un error de copiar y pegar durante una pequeña refactorización del código introdujo este problema en la versión OpenSSL 3.5. Si, por ejemplo, un certificado de CA confiable solo debe ser confiable para autenticar servidores TLS, pero no para la verificación de firmas CMS, y esta verificación se marca como rechazada con la opción -addreject, el certificado de CA resultante se considerará confiable para la verificación de firmas CMS. Este problema solo afecta a los usuarios que usan el formato de certificado confiable y la aplicación de línea de comandos openssl x509 para añadir usos rechazados. Los problemas que afectan solo a la aplicación de línea de comandos se consideran de gravedad baja. Los módulos FIPS de las versiones 3.5, 3.4, 3.3, 3.2, 3.1 y 3.0 no se ven afectados. OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 y 1.0.2 tampoco se ven afectados por este problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"openssl-security@openssl.org","type":"Secondary","description":[{"lang":"en","value":"CWE-295"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openssl:openssl:3.5.0:*:*:*:*:*:*:*","matchCriteriaId":"91ADE80D-F0FB-4EC0-AAB1-2AA34E2FC63D"}]}]}],"references":[{"url":"https://github.com/openssl/openssl/commit/e96d22446e633d117e6c9904cb15b4693e956eaa","source":"openssl-security@openssl.org","tags":["Patch"]},{"url":"https://openssl-library.org/news/secadv/20250522.txt","source":"openssl-security@openssl.org","tags":["Vendor Advisory"]},{"url":"http://www.openwall.com/lists/oss-security/2025/05/22/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]}]}}]}