Buffer Over-Read Vulnerability in wolfSSL Product
CVE-2022-42905

9.1CRITICAL

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 7 November 2022

What is CVE-2022-42905?

In wolfSSL versions earlier than 5.5.2, the use of callback functions (enabled by the WOLFSSL_CALLBACKS flag) poses a risk. A threat actor, acting as a malicious TLS 1.3 client or a network adversary, can exploit this vulnerability to cause a buffer over-read on the heap, resulting in the disclosure of potentially sensitive data. This vulnerability primarily impacts systems that utilize the WOLFSSL_CALLBACKS option, which is primarily intended for debugging purposes, and should be used with caution.

References

https://www.wolfssl.com/docs/security-vulnerabilities/

https://github.com/wolfSSL/wolfssl/releases

https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-st...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2022
Vulnerability Reserved
Oct 13, 2022

Wolfssl

What is CVE-2022-42905?

References

CVSS V3.1

Timeline