cve-2021-34433
Vulnerability from cvelistv5
Published
2021-08-20 17:10
Modified
2024-08-04 00:12
Severity
Summary
In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
References
Source | URL | Tags |
---|---|---|
emo@eclipse.org | https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281 | Issue Tracking, Vendor Advisory |
Impacted products
Vendor | Product |
---|---|
The Eclipse Foundation | Eclipse Californium |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T00:12:50.235Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Californium", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "2.0.0", "versionType": "custom" }, { "lessThanOrEqual": "2.6.4", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "3.0.0-M1", "versionType": "custom" }, { "lessThanOrEqual": "3.0.0-M3", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-322", "description": "CWE-322: Key Exchange without Entity Authentication", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-08-20T17:10:10", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-34433", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Californium", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "2.0.0" }, { "version_affected": "\u003c=", "version_value": "2.6.4" }, { "version_affected": "\u003e=", "version_value": "3.0.0-M1" }, { "version_affected": "\u003c=", "version_value": "3.0.0-M3" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-322: Key Exchange without Entity Authentication" } ] } ] }, "references": { "reference_data": [ { "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-34433", "datePublished": "2021-08-20T17:10:10", "dateReserved": "2021-06-09T00:00:00", "dateUpdated": "2024-08-04T00:12:50.235Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2021-34433\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2021-08-20T17:15:07.687\",\"lastModified\":\"2021-08-26T14:02:34.797\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange.\"},{\"lang\":\"es\",\"value\":\"En Eclipse Californium versiones 2.0.0 a 2.6.4 y 3.0.0-M1 a 3.0.0-M3, los handshakes DTLS basados en certificados (x509 y RPK) presentan \u00e9xito accidentalmente sin verificar la firma del lado del servidor en el lado del cliente, si esa firma no est\u00e1 incluida en el ServerKeyExchange del servidor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]},{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-322\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:californium:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.6.5\",\"matchCriteriaId\":\"65A08A46-AE52-493B-BD3B-06B7F33A6199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:californium:3.0.0:m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9664425C-0BC8-42FA-A128-4888792AABD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:californium:3.0.0:m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BAEC5E6-CADE-402A-8741-C6962C051A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:californium:3.0.0:m3:*:*:*:*:*:*\",\"matchCriteriaId\":\"72226029-FA1A-41D5-BF95-A60C830C394A\"}]}]}],\"references\":[{\"url\":\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}" } }
Loading...