CVE-2022-40617

CWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
7.5HIGH
EPSS
0.2%
top 55.19%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Stormshield Stormshield Network SecurityStrongswan StrongswanCanonical Ubuntu Linux+2 more
Timeline
PublishedOct 31

Description

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debianstrongswan< 5.9.1-1+deb11u3+3

Also affects: Debian Linux 10.0, 11.0, Fedora 37, Ubuntu Linux 14.04, 16.04, 18.04, 20.04, 22.04

🔴Vulnerability Details

3
OSV
CVE-2022-40617: strongSwan before 52022-10-31
CVEList
CVE-2022-40617: strongSwan before 52022-10-31
GHSA
GHSA-f2x8-4jwf-gqrg: strongSwan before 52022-10-31

📋Vendor Advisories

4
Microsoft
strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL tha2022-10-11
Ubuntu
strongSwan vulnerability2022-10-03
Ubuntu
strongSwan vulnerability2022-10-03
Debian
CVE-2022-40617: strongswan - strongSwan before 5.9.8 allows remote attackers to cause a denial of service in ...2022