CVE-2021-3336

{"id": "CVE-2021-3336", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2021-01-29T05:15:12.197", "references": [{"url": "https://github.com/wolfSSL/wolfssl/pull/3676", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.wolfssl.com/docs/security-vulnerabilities", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers."}, {"lang": "es", "value": "La funci\u00f3n DoTls13CertificateVerify en el archivo tls13.c en wolfSSL versiones hasta 4.7.0, no detiene el procesamiento para determinados comportamientos an\u00f3malos de peers (mediante el env\u00edo de una firma ED22519, ED448, ECC o RSA sin el certificado correspondiente) El lado del cliente se ve afectado porque los atacantes \"man-in-the-middle\" pueden hacerse pasar por servidores TLS 1.3"}], "lastModified": "2021-03-04T21:20:45.567", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9CD8E675-17D8-4AB2-80BB-444CE6D42A5E", "versionEndExcluding": "4.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}