CVSS4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N/AU:Y/U:Green/V:D/RE:M
AI Score
Confidence
Low
EPSS
Percentile
9.5%
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | wolfssl | <= 5.5.4-2+deb12u1 | wolfssl_5.5.4-2+deb12u1_all.deb |
Debian | 11 | all | wolfssl | <= 4.6.0+p1-0+deb11u2 | wolfssl_4.6.0+p1-0+deb11u2_all.deb |
Debian | 999 | all | wolfssl | < 5.7.2-0.1 | wolfssl_5.7.2-0.1_all.deb |
Debian | 13 | all | wolfssl | < 5.7.2-0.1 | wolfssl_5.7.2-0.1_all.deb |