Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-11235 |
CWE-ID | CWE-287 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
freeradius (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU18336
Risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11235
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to FreeRadius mishandles secure checks when preforming user authentication process. The related checks refer to mechanisms, which ensures that "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used". A remote attacker can bypass authentication process. MitigationInstall update from vendor's website.
Vulnerable software versionsfreeradius (Alpine package): 3.0.9-r0 - 3.0.13-r2
External linkshttp://git.alpinelinux.org/aports/commit/?id=69138d98cebd2ab4efee5ac34450ed828d482d2c
http://git.alpinelinux.org/aports/commit/?id=39ad148a1b03ffa56801c3ded59b34d6ac0e4dd1
http://git.alpinelinux.org/aports/commit/?id=5000ff06e26f8e780cec024850772451991b14d4
http://git.alpinelinux.org/aports/commit/?id=03e34b1adafe3bbf545854f14971aa8e0142c1aa
http://git.alpinelinux.org/aports/commit/?id=065f2876051f76809327b30c47239ed3b8db0bd5
http://git.alpinelinux.org/aports/commit/?id=354ae2b18aa0dbbd1760f1152adc8699967a4ce3
http://git.alpinelinux.org/aports/commit/?id=77eea063d8f0ef7ac9a99e7a070e5d5fabe3d777
http://git.alpinelinux.org/aports/commit/?id=d19f2800a1df00c0d730c8a31045e0f54ef3404f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.