7.5

CVE-2023-2295

A vulnerability was found in the libreswan library. This security issue occurs when an IKEv1 Aggressive Mode packet is received with only unacceptable crypto algorithms, and the response packet is not sent with a zero responder SPI. When a subsequent packet is received where the sender reuses the libreswan responder SPI as its own initiator SPI, the pluto daemon state machine crashes. No remote code execution is possible. This CVE exists because of a CVE-2023-30570 security regression for libreswan package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LibreswanLibreswan Version4.9-1.el8
LibreswanLibreswan Version4.9-1.el9
RedhatEnterprise Linux Version8.0
RedhatEnterprise Linux Version9.0
RedhatEnterprise Linux Eus Version8.8
RedhatEnterprise Linux Eus Version9.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.58% 0.723
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

https://access.redhat.com/errata/RHSA-2023:3107
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:3148
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-2295
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2189777
Issue Tracking