CVE-2019-9498 — Origin Validation Error in Alliance Hostapd With Eap-pwd Support
Severity
8.1HIGHNVD
EPSS
1.2%
top 20.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 17
Latest updateMay 13
Description
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hosta…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages11 packages
Also affects: Debian Linux 8.0, Fedora 28, 29, 30
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-vv3p-4cq3-5ppc: The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not val↗2022-05-13
CVEList▶
The implementations of EAP-PWD in hostapd EAP Server do not validate the scalar and element values in EAP-pwd-Commit↗2019-04-17
OSV▶
CVE-2019-9498: The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not val↗2019-04-17
📋Vendor Advisories
5Debian▶
CVE-2019-9498: wpa - The implementations of EAP-PWD in hostapd EAP Server, when built against a crypt...↗2019
💬Community
1Bugzilla▶
CVE-2019-9498 wpa_supplicant: EAP-pwd server missing commit validation for scalar/element↗2019-04-12