Insufficient Verification of Data Authenticity Affecting freeradius/freeradius-server package, versions [,3.0.19)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.48% (76th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-FREERADIUSFREERADIUSSERVER-2365116
  • published26 Jan 2022
  • disclosed22 Apr 2019
  • creditUnknown

Introduced: 22 Apr 2019

CVE-2019-11235  (opens in a new tab)
CWE-345  (opens in a new tab)

How to fix?

Upgrade freeradius/freeradius-server to version 3.0.19 or higher.

Overview

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity. FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

References

CVSS Base Scores

version 3.1