usn-7317-1
Vulnerability from osv_ubuntu
Published
2025-03-03 19:42
Modified
2026-04-22 07:37
Summary
wpa vulnerabilities
Details
George Chatzisofroniou and Panayiotis Kotzanikolaou discovered that wpa_supplicant and hostapd reused encryption elements in the PKEX protocol. An attacker could possibly use this issue to impersonate a wireless access point, and obtain sensitive information. (CVE-2022-37660)
Daniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque discovered that wpa_supplicant and hostapd were vulnerable to side channel attacks due to the cache access patterns. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 20.04 LTS. (CVE-2022-23303, CVE-2022-23304)
References
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-23303",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-23304",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2022-37660",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:20.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "hostapd",
"binary_version": "2:2.9-1ubuntu4.6"
},
{
"binary_name": "wpagui",
"binary_version": "2:2.9-1ubuntu4.6"
},
{
"binary_name": "wpasupplicant",
"binary_version": "2:2.9-1ubuntu4.6"
}
]
},
"package": {
"ecosystem": "Ubuntu:20.04:LTS",
"name": "wpa",
"purl": "pkg:deb/ubuntu/wpa@2:2.9-1ubuntu4.6?arch=source\u0026distro=focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.9-1ubuntu4.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:2.9-1ubuntu2",
"2:2.9-1ubuntu3",
"2:2.9-1ubuntu4",
"2:2.9-1ubuntu4.1",
"2:2.9-1ubuntu4.2",
"2:2.9-1ubuntu4.3",
"2:2.9-1ubuntu4.4"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-37660",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "eapoltest",
"binary_version": "2:2.10-6ubuntu2.2"
},
{
"binary_name": "hostapd",
"binary_version": "2:2.10-6ubuntu2.2"
},
{
"binary_name": "wpagui",
"binary_version": "2:2.10-6ubuntu2.2"
},
{
"binary_name": "wpasupplicant",
"binary_version": "2:2.10-6ubuntu2.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "wpa",
"purl": "pkg:deb/ubuntu/wpa@2:2.10-6ubuntu2.2?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.10-6ubuntu2.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:2.9.0-21build1",
"2:2.9.0-23",
"2:2.10-1",
"2:2.10-2",
"2:2.10-6",
"2:2.10-6ubuntu1",
"2:2.10-6ubuntu2",
"2:2.10-6ubuntu2.1"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2022-37660",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:24.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "eapoltest",
"binary_version": "2:2.10-21ubuntu0.2"
},
{
"binary_name": "hostapd",
"binary_version": "2:2.10-21ubuntu0.2"
},
{
"binary_name": "wpagui",
"binary_version": "2:2.10-21ubuntu0.2"
},
{
"binary_name": "wpasupplicant",
"binary_version": "2:2.10-21ubuntu0.2"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "wpa",
"purl": "pkg:deb/ubuntu/wpa@2:2.10-21ubuntu0.2?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2:2.10-21ubuntu0.2"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2:2.10-15",
"2:2.10-18",
"2:2.10-20",
"2:2.10-21",
"2:2.10-21build2",
"2:2.10-21build3",
"2:2.10-21build4",
"2:2.10-21ubuntu0.1"
]
}
],
"aliases": [],
"details": "George Chatzisofroniou and Panayiotis Kotzanikolaou discovered that\nwpa_supplicant and hostapd reused encryption elements in the PKEX protocol.\nAn attacker could possibly use this issue to impersonate a wireless access\npoint, and obtain sensitive information. (CVE-2022-37660)\n\nDaniel De Almeida Braga, Mohamed Sabt, and Pierre-Alain Fouque discovered\nthat wpa_supplicant and hostapd were vulnerable to side channel attacks due\nto the cache access patterns. An attacker could possibly use this issue to\nobtain sensitive information. This issue only affected Ubuntu 20.04 LTS.\n(CVE-2022-23303, CVE-2022-23304)\n",
"id": "USN-7317-1",
"modified": "2026-04-22T07:37:17Z",
"published": "2025-03-03T19:42:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7317-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-23303"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-23304"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2022-37660"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "wpa vulnerabilities",
"upstream": [
"UBUNTU-CVE-2022-23303",
"UBUNTU-CVE-2022-23304",
"UBUNTU-CVE-2022-37660"
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…