Lucene search
WolfSSLCVE-2024-5814HistoryAug 27, 2024 - 7:15 p.m.
CVE-2024-5814
2024-08-2719:15:17
CWE-284
wolfSSL
web.nvd.nist.gov
26
tls downgrade
vulnerability
tls 1.2
tls 1.3
ciphersuite
CVSS4
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N/AU:Y/U:Green/V:D/RE:M
AI Score
6.8
Confidence
Low
EPSS
0
Percentile
9.5%
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
CNA Affected
[
{
"defaultStatus": "unknown",
"product": "wolfSSL",
"programFiles": [
"src/tls13.c"
],
"repo": "https://github.com/wolfSSL/wolfssl",
"vendor": "wolfSSL",
"versions": [
{
"lessThanOrEqual": "5.7.0",
"status": "affected",
"version": "0",
"versionType": "Release"
}
]
}
]Related
cvelist
cvelist
CVE-2024-5814 Unverifed Ciphersuite used on a client-side TLS1.3 Downgrade
2024-08-27 18:38:08
nvd
nvd
CVE-2024-5814
2024-08-27 19:15:17
osv
osv
CVE-2024-5814
2024-08-27 19:15:17
ubuntucve
ubuntucve
CVE-2024-5814
2024-08-27 00:00:00
vulnrichment
vulnrichment
CVE-2024-5814 Unverifed Ciphersuite used on a client-side TLS1.3 Downgrade
2024-08-27 18:38:08
debiancve
debiancve
CVE-2024-5814
2024-08-27 19:15:17
alpinelinux
alpinelinux
CVE-2024-5814
2024-08-27 19:15:17
freebsd
freebsd
netatalk3 -- multiple WolfSSL vulnerabilities
2024-09-08 00:00:00
slackware
slackware
[slackware-security] netatalk
2024-09-09 17:33:03
openvas
openvas
Slackware: Security Advisory (SSA:2024-253-01)
2024-09-10 00:00:00
nessus
nessus
CVSS4
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N/AU:Y/U:Green/V:D/RE:M
AI Score
6.8
Confidence
Low
EPSS
0
Percentile
9.5%
Related for CVE-2024-5814