FKIE_CVE-2004-0063

Vulnerability from fkie_nvd - Published: 2004-02-17 05:00 - Updated: 2025-04-03 01:03
Severity ?
Summary
The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number.
References
cve@mitre.orghttp://marc.info/?l=bugtraq&m=107411819503569&w=2
cve@mitre.orghttp://www.ncipher.com/support/advisories/advisory8_payshield.htmlVendor Advisory
cve@mitre.orghttp://www.osvdb.org/3537
cve@mitre.orghttp://www.securityfocus.com/bid/9422
cve@mitre.orghttps://exchange.xforce.ibmcloud.com/vulnerabilities/14832
af854a3a-2127-422b-91ae-364da2661108http://marc.info/?l=bugtraq&m=107411819503569&w=2
af854a3a-2127-422b-91ae-364da2661108http://www.ncipher.com/support/advisories/advisory8_payshield.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.osvdb.org/3537
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/9422
af854a3a-2127-422b-91ae-364da2661108https://exchange.xforce.ibmcloud.com/vulnerabilities/14832
Impacted products
Vendor Product Version
ncipher payshield_spp_library 1.3.12
ncipher payshield_spp_library 1.5.18
ncipher payshield_spp_library 1.6.18
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ncipher:payshield_spp_library:1.3.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "B09FF87A-E7A1-43D4-AAAB-1CEE32B55EEC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ncipher:payshield_spp_library:1.5.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "092628C5-FFC4-4C9F-9267-FB6FF68B6491",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ncipher:payshield_spp_library:1.6.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A12E833-A4AF-4417-87D5-6F3F44CE96A6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n SPP_VerifyPW en la librer\u00eda nCipher payShield 1.3.12, 1.5.18 y 1.6.18 devuelve un valor Status_OK incluso si el HSM devuelve un c\u00f3digo de estado diferente, lo que podr\u00eda causar que aplicaciones hiciesen decisi\u00f3nes cr\u00edticas de seguridad de mandera incorrecta, por ejemplo aceptando un n\u00famero PIN no v\u00e1lido."
    }
  ],
  "id": "CVE-2004-0063",
  "lastModified": "2025-04-03T01:03:51.193",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": true,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2004-02-17T05:00:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://marc.info/?l=bugtraq\u0026m=107411819503569\u0026w=2"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.ncipher.com/support/advisories/advisory8_payshield.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.osvdb.org/3537"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/9422"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/14832"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://marc.info/?l=bugtraq\u0026m=107411819503569\u0026w=2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.ncipher.com/support/advisories/advisory8_payshield.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/3537"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/9422"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/14832"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.