Описание
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
Ссылки
- Issue TrackingVendor Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.0.0 (включая) до 2.6.5 (исключая)
Одно из
cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:californium:3.0.0:m1:*:*:*:*:*:*
cpe:2.3:a:eclipse:californium:3.0.0:m2:*:*:*:*:*:*
cpe:2.3:a:eclipse:californium:3.0.0:m3:*:*:*:*:*:*
EPSS
Процентиль: 15%
0.00048
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-322
CWE-347
Связанные уязвимости
github
больше 3 лет назад
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
EPSS
Процентиль: 15%
0.00048
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-322
CWE-347