CVE-2021-3336

Опубликовано: 29 янв. 2021

Источник: nvd

CVSS3: 8.1

CVSS2: 6.8

EPSS Низкий

Описание

DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers.

Ссылки

https://github.com/wolfSSL/wolfssl/pull/3676
Patch
Third Party Advisory
https://www.wolfssl.com/docs/security-vulnerabilities
Vendor Advisory
https://github.com/wolfSSL/wolfssl/pull/3676
Patch
Third Party Advisory
https://www.wolfssl.com/docs/security-vulnerabilities
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*

Версия до 4.7.0 (исключая)

EPSS

Процентиль: 43%

0.0021

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

CVE-2021-3336

CVSS3: 8.1

ubuntu

около 5 лет назад

CVE-2021-3336

CVSS3: 8.1

debian

около 5 лет назад

DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not c ...

GHSA-qfqh-45q8-8425

github

больше 3 лет назад

DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate).

EPSS

Процентиль: 43%

0.0021

Низкий

8.1 High

CVSS3

6.8 Medium

CVSS2

Дефекты

CWE-295