DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers.
References
Link | Resource |
---|---|
https://github.com/wolfSSL/wolfssl/pull/3676 | Patch Third Party Advisory |
https://www.wolfssl.com/docs/security-vulnerabilities | Vendor Advisory |
Configurations
History
04 Mar 2021, 21:20
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 8.1 |
References | (CONFIRM) https://www.wolfssl.com/docs/security-vulnerabilities - Vendor Advisory |
23 Feb 2021, 00:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | DoTls13CertificateVerify in tls13.c in wolfSSL before 4.7.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The client side is affected because man-in-the-middle attackers can impersonate TLS 1.3 servers. |
02 Feb 2021, 17:43
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
CWE | CWE-295 | |
References | (MISC) https://github.com/wolfSSL/wolfssl/pull/3676 - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* |
29 Jan 2021, 05:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-01-29 05:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-3336
Mitre link : CVE-2021-3336
CVE.ORG link : CVE-2021-3336
JSON object : View
Products Affected
wolfssl
- wolfssl
CWE
CWE-295
Improper Certificate Validation