6.5
CVE-2019-13456
- EPSS 1.63%
- Veröffentlicht 03.12.2019 20:15:11
- Zuletzt bearbeitet 21.11.2024 04:24:56
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Freeradius ≫ Freeradius Version >= 3.0.0 <= 3.0.19
Redhat ≫ Enterprise Linux Version7.0
Redhat ≫ Enterprise Linux Version8.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.63% | 0.731 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 2.9 | 5.5 | 2.9 |
AV:A/AC:M/Au:N/C:P/I:N/A:N
|
CWE-203 Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
https://freeradius.org/security/
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00039.html
https://bugzilla.redhat.com/show_bug.cgi?id=1737663
https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa
https://wpa3.mathyvanhoef.com