Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-11235

Опубликовано: 10 апр. 2019
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

A vulnerability was found in FreeRadius. An invalid curve attack allows an attacker to authenticate as any user, without knowing the password. FreeRADIUS doesn't verify whether the received elliptic curve point is valid. The highest threat from this vulnerability is to data confidentiality and integrity.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5freeradiusNot affected
Red Hat Enterprise Linux 5freeradius2Not affected
Red Hat Enterprise Linux 6freeradiusNot affected
Red Hat Enterprise Linux 7freeradiusFixedRHSA-2019:113109.05.2019
Red Hat Enterprise Linux 8freeradiusFixedRHSA-2019:114213.05.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-345
https://bugzilla.redhat.com/show_bug.cgi?id=1695748freeradius: eap-pwd: authentication bypass via an invalid curve attack

EPSS

Процентиль: 90%
0.0601
Низкий

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-11235

CVSS3: 9.8
ubuntu
почти 7 лет назад

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

nvd логотип

CVE-2019-11235

CVSS3: 9.8
nvd
почти 7 лет назад

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

debian логотип

CVE-2019-11235

CVSS3: 9.8
debian
почти 7 лет назад

FreeRADIUS before 3.0.19 mishandles the "each participant verifies tha ...

github логотип

GHSA-qx2m-p74g-xjwh

CVSS3: 9.8
github
больше 3 лет назад

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

fstec логотип

BDU:2020-01576

CVSS3: 9.8
fstec
почти 7 лет назад

Уязвимость RADIUS-сервера FreeRADIUS, связанная с недостаточной проверкой подлинности данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 90%
0.0601
Низкий

8.1 High

CVSS3