CVE-2022-25640 — Improper Certificate Validation in Wolfssl

CWE-295 — Improper Certificate Validation CWE-287 — Improper Authentication CWE-601 — Open Redirect CWE-918 — Server-Side Request Forgery7 documents6 sources

Severity

7.5HIGHNVD

GHSA6.1

EPSS

5.1%

top 10.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl

Timeline

PublishedFeb 24

Latest updateJan 12

Description

In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wolfssl< wolfssl 5.2.0-1 (bookworm)

▶NVDwolfssl/wolfssl< 5.2.0

▶Debianwolfssl/wolfssl< 4.6.0+p1-0+deb11u1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Server-side request forgery in Apache Dubbo↗2022-06-10

▶

GHSA

GHSA-wx9x-cpp6-2q3w: In wolfSSL before 5↗2022-02-25

▶

OSV

CVE-2022-25640: In wolfSSL before 5↗2022-02-24

▶

📋Vendor Advisories

Debian

CVE-2022-25640: wolfssl - In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement ...↗2022

▶

🕵️Threat Intelligence

Trailofbits

Keeping the wolves out of wolfSSL↗2023-01-12

▶

Trailofbits

Keeping the wolves out of wolfSSL↗2023-01-12

▶