Certificate Validation Vulnerability in wolfSSL TLS 1.3 Client Authentication
CVE-2022-25638

6.5MEDIUM

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 24 February 2022

What is CVE-2022-25638?

A certificate validation bypass vulnerability exists in wolfSSL versions prior to 5.2.0, allowing a TLS 1.3 client to potentially evade authentication checks when connecting to a TLS 1.3 server. This issue arises when there is a discrepancy in the sig_algo field between the certificate_verify message and the certificate message, posing a security risk to systems utilizing affected wolfSSL versions.

References

https://github.com/wolfSSL/wolfssl/pull/4813

x_refsource_MISC

https://www.wolfssl.com/docs/security-vulnerabilities/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Feb 22, 2022

Wolfssl

What is CVE-2022-25638?

References

CVSS V3.1

Timeline