CVE-2020-27222

Published: Feb 3, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.

Affected (1)

Products: Eclipse: Californium

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Eclipse Californium	From 2.3.0 to 2.6.0

Related CWEs

Incomplete Internal State Distinction

The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.

References (2)

https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844

Source: emo@eclipse.org

Permissions RequiredVendor Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredVendor Advisory

Timeline

No history available yet.