Wolfssl

Wolfssl

111 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
8.8

CVE-2023-3724

  • EPSS 0.14%
  • Veröffentlicht 17.07.2023 22:15:09
  • Zuletzt bearbeitet 21.11.2024 08:17:55

If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor a KSE (key share extension) when connecting to a malicious server, a default predictable buffer gets used for the IKM (Input Keying Material) value when generating the session mast...

9.1

CVE-2022-42905

  • EPSS 6.14%
  • Veröffentlicht 07.11.2022 00:15:09
  • Zuletzt bearbeitet 02.05.2025 19:15:54

In wolfSSL before 5.5.2, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS 1.3 client or network attacker can trigger a buffer over-read on the heap of 5 bytes. (WOLFSSL_CALLBACKS is only intended for debugging....

5.3

CVE-2022-42961

  • EPSS 0.29%
  • Veröffentlicht 15.10.2022 04:15:17
  • Zuletzt bearbeitet 14.05.2025 15:15:53

An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC sig...

7.5

CVE-2022-39173

Exploit
  • EPSS 1.37%
  • Veröffentlicht 29.09.2022 01:15:11
  • Zuletzt bearbeitet 20.05.2025 20:15:23

In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow during a TLS 1.3 handshake. This occurs when an attacker supposedly resumes a previous TLS session. During the resumption Client Hello a Hello Retry Request must be triggered. Bot...

5.9

CVE-2021-44718

  • EPSS 0.21%
  • Veröffentlicht 02.09.2022 12:15:09
  • Zuletzt bearbeitet 21.11.2024 06:31:27

wolfSSL through 5.0.0 allows an attacker to cause a denial of service and infinite loop in the client component by sending crafted traffic from a Machine-in-the-Middle (MITM) position. The root cause is that the client module accepts TLS messages tha...

5.9

CVE-2022-38153

Exploit
  • EPSS 0.57%
  • Veröffentlicht 31.08.2022 18:15:08
  • Zuletzt bearbeitet 21.11.2024 07:15:54

An issue was discovered in wolfSSL before 5.5.0 (when --enable-session-ticket is used); however, only version 5.3.0 is exploitable. Man-in-the-middle attackers or a malicious server can crash TLS 1.2 clients during a handshake. If an attacker injects...

7.5

CVE-2022-38152

Exploit
  • EPSS 2.71%
  • Veröffentlicht 31.08.2022 17:15:08
  • Zuletzt bearbeitet 21.11.2024 07:15:54

An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client connects to a wolfSSL server and SSL_clear is called on its session, the server crashes with a segmentation fault. This occurs in the second session, which is created through TLS ...

7.5

CVE-2022-34293

  • EPSS 0.96%
  • Veröffentlicht 08.08.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 07:09:14

wolfSSL before 5.4.0 allows remote attackers to cause a denial of service via DTLS because a check for return-routability can be skipped.

6.5

CVE-2022-25638

  • EPSS 0.15%
  • Veröffentlicht 24.02.2022 15:15:32
  • Zuletzt bearbeitet 21.11.2024 06:52:29

In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.

7.5

CVE-2022-25640

  • EPSS 5.1%
  • Veröffentlicht 24.02.2022 15:15:32
  • Zuletzt bearbeitet 21.11.2024 06:52:29

In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.