Cyber Resilience

CVE-2024-12797

Medium

Published: 11 February 2025

Published
11 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0080 74.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12797 is a medium-severity Missing Report of Error Condition (CWE-392) vulnerability in Openssl Library (inferred from references). Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and…

more

DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Openssl Library
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-392

Mandates alerting on audit failures, directly providing the missing report of the error condition.

addresses: CWE-392

Reporting the security and privacy status to organizational officials ensures monitoring and assessment results are communicated rather than omitted.

addresses: CWE-392

Requires reporting and escalation of error conditions and incidents per documented procedures.

addresses: CWE-392

IR testing would expose missing error reporting that prevents timely incident detection and response.

addresses: CWE-392

Offers direct support for reporting incidents, addressing the failure to report error conditions or security events.

addresses: CWE-392

Includes explicit reporting of security status and analysis results, addressing missing reports of error or monitoring conditions.

References