CVE-2012-4523 — Radsecproxy vulnerability

CWE-2648 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.2%

top 60.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Radsecproxy Debian Radsecproxy Uninett Radsecproxy

Timeline

PublishedNov 20

Latest updateMay 17

Description

radsecproxy before 1.6.1 does not properly verify certificates when there are configuration blocks with CA settings that are unrelated to the block being used for verifying the certificate chain, which might allow remote attackers to bypass intended access restrictions and spoof clients.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages3 packages

▶debiandebian/radsecproxy< radsecproxy 1.6.2-1 (bookworm)

▶Debianradsecproxy/radsecproxy< 1.6.2-1+3

▶NVDuninett/radsecproxy1.6+12

🔴Vulnerability Details

GHSA

GHSA-3qgg-3fwc-j9gv: The DTLS support in radsecproxy before 1↗2022-05-17

▶

GHSA

GHSA-67pw-2qx3-43v6: radsecproxy before 1↗2022-05-17

▶

OSV

CVE-2012-4566: The DTLS support in radsecproxy before 1↗2012-11-20

▶

OSV

CVE-2012-4523: radsecproxy before 1↗2012-11-20

▶

📋Vendor Advisories

Debian

CVE-2012-4566: radsecproxy - The DTLS support in radsecproxy before 1.6.2 does not properly verify certificat...↗2012

▶

Debian

CVE-2012-4523: radsecproxy - radsecproxy before 1.6.1 does not properly verify certificates when there are co...↗2012

▶