CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37155
https://notcve.org/view.php?id=CVE-2021-37155
21 Jul 2021 — wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure outcome when the serial number in an OCSP request differs from the serial number in the OCSP response. wolfSSL versiones 4.6.x hasta 4.7.x anteriores a 4.8.0 no produce un resultado de fallo cuando el número de serie en una petición OCSP difiere del número de serie en la respuesta OCSP • https://github.com/wolfSSL/wolfssl/pull/3990 •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24116
https://notcve.org/view.php?id=CVE-2021-24116
14 Jul 2021 — In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. En wolfSSL versiones hasta 4.6.0, una vulnerabilidad de canal lateral en la decodificación de archivos PEM base64 permite a atacantes a nivel de sistema (administrador) obtener información sobre ... • https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md • CWE-203: Observable Discrepancy •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3336
https://notcve.org/view.php?id=CVE-2021-3336
29 Jan 2021 — DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. La función DoTls13CertificateVerify en el archivo tls13.c en wolfSSL versiones hasta 4.7.0, no detiene el procesamiento para determinados comportamientos anómalos de peers (mediante el envío de una firma... • https://github.com/wolfSSL/wolfssl/pull/3676 • CWE-295: Improper Certificate Validation •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36177
https://notcve.org/view.php?id=CVE-2020-36177
06 Jan 2021 — RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-of-bounds write for certain relationships between key size and digest size. La función RsaPad_PSS en el archivo wolfcrypt/src/rsa.c en wolfSSL versiones anteriores a 4.6.0, presenta una escritura fuera de límites para determinadas relaciones entre el tamaño de la clave y el tamaño del resumen • https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567 • CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24613
https://notcve.org/view.php?id=CVE-2020-24613
24 Aug 2020 — wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers. wolfSSL versiones anteriores a 4.5.0, maneja inapropiadamente los datos del servidor TLS ve... • https://research.nccgroup.com/2020/08/24/technical-advisory-wolfssl-tls-1-3-client-man-in-the-middle-attack • CWE-295: Improper Certificate Validation •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-15309
https://notcve.org/view.php?id=CVE-2020-15309
21 Aug 2020 — An issue was discovered in wolfSSL before 4.5.0, when single precision is not employed. Local attackers can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key). Se detectó un problema en wolfSSL versiones anteriores a 4.5.0, cuando no se emplea precisión simple. Unos atacantes locales pueden conducir un ataque de sincronización de caché c... • https://arxiv.org/abs/2008.12188 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-12457
https://notcve.org/view.php?id=CVE-2020-12457
21 Aug 2020 — An issue was discovered in wolfSSL before 4.5.0. It mishandles the change_cipher_spec (CCS) message processing logic for TLS 1.3. If an attacker sends ChangeCipherSpec messages in a crafted way involving more than one in a row, the server becomes stuck in the ProcessReply() loop, i.e., a denial of service. Se detectó un problema en wolfSSL versiones anteriores a 4.5.0. Maneja inapropiadamente la lógica de procesamiento de mensajes de change_cipher_spec (CCS) para TLS versión 1.3. • https://github.com/wolfSSL/wolfssl/pull/2927 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24585
https://notcve.org/view.php?id=CVE-2020-24585
21 Aug 2020 — An issue was discovered in the DTLS handshake implementation in wolfSSL before 4.5.0. Clear DTLS application_data messages in epoch 0 do not produce an out-of-order error. Instead, these messages are returned to the application. Se detectó un problema en la implementación del protocolo de enlace DTLS en wolfSSL versiones anteriores a 4.5.0. Borrar los mensajes application_data de DTLS en epoch 0 no producen un error fuera de orden. • https://github.com/wolfSSL/wolfssl/pull/3219 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11735
https://notcve.org/view.php?id=CVE-2020-11735
25 Jun 2020 — The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a "projective coordinates leak." Las operaciones de clave privada en el archivo ecc.c en wolfSSL versiones anteriores a 4.4.0, no usan un inverso modular de tiempo constante cuando mapean a unas coordenadas afines, también se conoce como "projective coordinates leak" • https://github.com/wolfSSL/wolfssl/commit/1de07da61f0c8e9926dcbd68119f73230dae283f • CWE-203: Observable Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11713
https://notcve.org/view.php?id=CVE-2020-11713
12 Apr 2020 — wolfSSL 4.3.0 has mulmod code in wc_ecc_mulmod_ex in ecc.c that does not properly resist timing side-channel attacks. wolfSSL versión 4.3.0, presenta código mulmod en la función wc_ecc_mulmod_ex en el archivo ecc.c que no resiste apropiadamente los ataques de sincronización de canal lateral. • https://gist.github.com/pietroborrello/7c5be2d1dc15349c4ffc8671f0aad04f • CWE-203: Observable Discrepancy •