Main Vulnerability Database Vulnerabilities #VU84841

#VU84841 Cryptographic issues in wolfSSL - CVE-2023-6937

Published: December 28, 2023

Vulnerability identifier: #VU84841

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-6937

CWE-ID: CWE-310

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
wolfSSL

Software vendor:
wolfSSL

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to wolfSSL does not check that messages in a single (D)TLS record do not span key boundaries. As a result, it is possible to combine (D)TLS messages using different keys into one (D)TLS record and force the client to accept an unencrypted flight from the server.

Remediation

Install updates from vendor's website.

External links

https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.6-stable
https://github.com/wolfSSL/wolfssl/pull/7029