GSD-2024-2873
Vulnerability from gsd - Updated: 2024-04-03 05:02Details
A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-2873"
],
"details": "A vulnerability was found in wolfSSH\u0027s server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n",
"id": "GSD-2024-2873",
"modified": "2024-04-03T05:02:25.963337Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "facts@wolfssl.com",
"ID": "CVE-2024-2873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wolfSSH",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "0",
"version_value": "v1.4.16"
}
]
}
}
]
},
"vendor_name": "wolfSSL Inc."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in wolfSSH\u0027s server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-287",
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/wolfSSL/wolfssh/pull/670",
"refsource": "MISC",
"url": "https://github.com/wolfSSL/wolfssh/pull/670"
},
{
"name": "https://github.com/wolfSSL/wolfssh/pull/671",
"refsource": "MISC",
"url": "https://github.com/wolfSSL/wolfssh/pull/671"
},
{
"name": "https://www.wolfssl.com/docs/security-vulnerabilities/",
"refsource": "MISC",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities/"
}
]
},
"solution": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: transparent;\"\u003eThe fix for this issue is located in the following GitHub Pull Requests:\u003cbr\u003e\u003cul\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/670\"\u003ehttps://github.com/wolfSSL/wolfssh/pull/670\u003c/a\u003e\u003cbr\u003e\u003c/li\u003e\u003cli\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/671\"\u003ehttps://github.com/wolfSSL/wolfssh/pull/671\u003c/a\u003e\u003cbr\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/span\u003e"
}
],
"value": "The fix for this issue is located in the following GitHub Pull Requests:\n * https://github.com/wolfSSL/wolfssh/pull/670 \n\n * https://github.com/wolfSSL/wolfssh/pull/671 \n\n"
}
],
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in wolfSSH\u0027s server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n"
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en la m\u00e1quina de estado del lado del servidor de wolfSSH antes de las versiones 1.4.17. Un cliente malintencionado podr\u00eda crear canales sin realizar primero la autenticaci\u00f3n del usuario, lo que provocar\u00eda un acceso no autorizado."
}
],
"id": "CVE-2024-2873",
"lastModified": "2024-03-26T12:55:05.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "facts@wolfssl.com",
"type": "Secondary"
}
]
},
"published": "2024-03-25T22:37:19.847",
"references": [
{
"source": "facts@wolfssl.com",
"url": "https://github.com/wolfSSL/wolfssh/pull/670"
},
{
"source": "facts@wolfssl.com",
"url": "https://github.com/wolfSSL/wolfssh/pull/671"
},
{
"source": "facts@wolfssl.com",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities/"
}
],
"sourceIdentifier": "facts@wolfssl.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "facts@wolfssl.com",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…