`openssl` `SubjectAlternativeName` and `ExtendedKeyUsage::other` allow arbitrary file read

Published: Mar 24, 2023
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-9qwg-crg9-m2vc" target="_blank" rel="noopener"> GHSA-9qwg-crg9-m2vc
Severity: High
Exploit:

SubjectAlternativeName and ExtendedKeyUsage arguments were parsed using the OpenSSL function X509V3_EXT_nconf. This function parses all input using an OpenSSL mini-language which can perform arbitrary file reads.

Thanks to David Benjamin (Google) for reporting this issue.