PT-2022-6103 · Wolfssl+1 · Wolfssl+1
Lucca Hirschi
+2
·
Published
2022-10-29
·
Updated
2023-02-15
·
CVE-2022-42905
CVSS v2.0
9.4
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
wolfSSL versions prior to 5.5.2
Description
The issue is related to a buffer over-read vulnerability in the wolfSSL library. This can be triggered by a malicious TLS 1.3 client or network attacker when callback functions are enabled via the
WOLFSSL CALLBACKS flag. The exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information or cause a denial of service.Recommendations
For versions prior to 5.5.2, consider disabling the
WOLFSSL CALLBACKS flag as a temporary workaround to minimize the risk of exploitation, as this flag is only intended for debugging purposes. Update to version 5.5.2 or later to fully resolve the issue.Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Wolfssl