6.5

CVE-2019-13456

Exploit
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FreeradiusFreeradius Version >= 3.0.0 <= 3.0.19
   LinuxLinux Kernel Version-
RedhatEnterprise Linux Version7.0
RedhatEnterprise Linux Version8.0
OpensuseLeap Version15.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.63% 0.731
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 2.9 5.5 2.9
AV:A/AC:M/Au:N/C:P/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

https://freeradius.org/security/
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=1737663
Patch
Third Party Advisory
Exploit
Issue Tracking
https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
Patch
Third Party Advisory
https://wpa3.mathyvanhoef.com
Third Party Advisory
Exploit