Filtered by vendor Wolfssl
Subscriptions
Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-38152 | 1 Wolfssl | 1 Wolfssl | 2024-08-03 | 7.5 High |
| An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS session resumption and reuses the initial struct WOLFSSL. If the server reuses the previous session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* ssl) on it, the next received Client Hello (that resumes the previous session) crashes the server. Note that this bug is only triggered when resuming sessions using TLS session resumption. Only servers that use wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence are affected. Furthermore, wolfSSL_clear is part of wolfSSL's compatibility layer and is not enabled by default. It is not part of wolfSSL's native API. | ||||
| CVE-2022-34293 | 1 Wolfssl | 1 Wolfssl | 2024-08-03 | 7.5 High |
| wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped. | ||||
| CVE-2022-25638 | 1 Wolfssl | 1 Wolfssl | 2024-08-03 | 6.5 Medium |
| In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message. | ||||
| CVE-2022-25640 | 1 Wolfssl | 1 Wolfssl | 2024-08-03 | 7.5 High |
| In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate. | ||||
| CVE-2022-23408 | 1 Wolfssl | 1 Wolfssl | 2024-08-03 | 9.1 Critical |
| wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c. | ||||