CVE-2021-34433

Published: Aug 20, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.

Affected (4)

Products: Eclipse: Californium

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Eclipse Californium	From 2.0.0 to 2.6.5
Eclipse Californium	Version 3.0.0 m1
Eclipse Californium	Version 3.0.0 m2
Eclipse Californium	Version 3.0.0 m3

Related CWEs

Key Exchange without Entity Authentication

The product performs a key exchange with an actor without verifying the identity of that actor.

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (2)

https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281

Source: emo@eclipse.org

Issue TrackingVendor Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

Timeline

No history available yet.