CVE-2019-5061Expected Behavior Violation in Hostapd

CWE-440Expected Behavior ViolationCWE-287Improper AuthenticationCWE-20Improper Input Validation7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 47.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
W1.fi Hostapd
Timeline
PublishedDec 12
Latest updateMay 24

Description

An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table attacks, or by leading to traffic flapping if faking already existing clients in other nearby Aps of the same wireless infrastructure. An attacker can forge Authentication and Association Request packets

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

NVDw1.fi/hostapd2.6

🔴Vulnerability Details

3
GHSA
GHSA-6626-64rf-2cvv: An exploitable denial-of-service vulnerability exists in the hostapd 22022-05-24
OSV
CVE-2019-5061: An exploitable denial-of-service vulnerability exists in the hostapd 22019-12-12
CVEList
CVE-2019-5061: An exploitable denial-of-service vulnerability exists in the hostapd 22019-12-12

📋Vendor Advisories

1
Debian
CVE-2019-5061: wpa - An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where ...2019

💬Community

2
Bugzilla
CVE-2019-5061 hostapd: attacker could trigger AP to send IAPP location before authentication leads to dos [epel-6]2020-01-27
Bugzilla
CVE-2019-5061 hostapd: attacker could trigger AP to send IAPP location before authentication leads to dos2020-01-27
CVE-2019-5061 — Expected Behavior Violation in Hostapd | cvebase