{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-2873", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "state": "PUBLISHED", "assignerShortName": "wolfSSL", "dateReserved": "2024-03-25T20:28:07.035Z", "datePublished": "2024-03-25T21:58:52.325Z", "dateUpdated": "2024-08-01T19:50:46.158Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "wolfSSH", "repo": "https://github.com/wolfSSL/wolfssh", "vendor": "wolfSSL Inc.", "versions": [{"lessThanOrEqual": "v1.4.16", "status": "affected", "version": "0", "versionType": "release bundle"}]}], "datePublic": "2024-03-25T23:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.<br>"}], "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2024-03-25T21:58:52.325Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/wolfSSL/wolfssh/pull/670"}, {"tags": ["patch"], "url": "https://github.com/wolfSSL/wolfssh/pull/671"}, {"tags": ["vendor-advisory"], "url": "https://www.wolfssl.com/docs/security-vulnerabilities/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">The fix for this issue is located in the following GitHub Pull Requests:<br><ul><li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/670\">https://github.com/wolfSSL/wolfssh/pull/670</a><br></li><li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/671\">https://github.com/wolfSSL/wolfssh/pull/671</a><br></li></ul></span>"}], "value": "The fix for this issue is located in the following GitHub Pull Requests:\n * https://github.com/wolfSSL/wolfssh/pull/670 \n\n * https://github.com/wolfSSL/wolfssh/pull/671 \n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "User authentication bypass in wolfSSH server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:42.177Z"}, "title": "CVE Program Container", "references": [{"tags": ["patch", "x_transferred"], "url": "https://github.com/wolfSSL/wolfssh/pull/670"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/wolfSSL/wolfssh/pull/671"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.wolfssl.com/docs/security-vulnerabilities/"}]}, {"affected": [{"vendor": "wolfssh", "product": "wolfssh", "cpes": ["cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.4.16", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T19:41:19.753078Z", "id": "CVE-2024-2873", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T19:50:46.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wolfSSL/wolfssh/pull/670", "tags": ["patch", "x_transferred"]}, {"url": "https://github.com/wolfSSL/wolfssh/pull/671", "tags": ["patch", "x_transferred"]}, {"url": "https://www.wolfssl.com/docs/security-vulnerabilities/", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:25:42.177Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-2873", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-01T19:41:19.753078Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*"], "vendor": "wolfssh", "product": "wolfssh", "versions": [{"status": "affected", "version": "0", "lessThan": "1.4.16", "versionType": "custom"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T19:43:43.379Z"}}], "cna": {"title": "User authentication bypass in wolfSSH server", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/wolfSSL/wolfssh", "vendor": "wolfSSL Inc.", "product": "wolfSSH", "versions": [{"status": "affected", "version": "0", "versionType": "release bundle", "lessThanOrEqual": "v1.4.16"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The fix for this issue is located in the following GitHub Pull Requests:\n * https://github.com/wolfSSL/wolfssh/pull/670 \n\n * https://github.com/wolfSSL/wolfssh/pull/671 \n\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">The fix for this issue is located in the following GitHub Pull Requests:<br><ul><li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/670\">https://github.com/wolfSSL/wolfssh/pull/670</a><br></li><li><a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/wolfSSL/wolfssh/pull/671\">https://github.com/wolfSSL/wolfssh/pull/671</a><br></li></ul></span>", "base64": false}]}], "datePublic": "2024-03-25T23:00:00.000Z", "references": [{"url": "https://github.com/wolfSSL/wolfssh/pull/670", "tags": ["patch"]}, {"url": "https://github.com/wolfSSL/wolfssh/pull/671", "tags": ["patch"]}, {"url": "https://www.wolfssl.com/docs/security-vulnerabilities/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n", "supportingMedia": [{"type": "text/html", "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "shortName": "wolfSSL", "dateUpdated": "2024-03-25T21:58:52.325Z"}}}, "cveMetadata": {"cveId": "CVE-2024-2873", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:50:46.158Z", "dateReserved": "2024-03-25T20:28:07.035Z", "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27", "datePublished": "2024-03-25T21:58:52.325Z", "assignerShortName": "wolfSSL"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n"}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en la m\u00e1quina de estado del lado del servidor de wolfSSH antes de las versiones 1.4.17. Un cliente malintencionado podr\u00eda crear canales sin realizar primero la autenticaci\u00f3n del usuario, lo que provocar\u00eda un acceso no autorizado."}], "id": "CVE-2024-2873", "lastModified": "2024-11-21T09:10:43.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "facts@wolfssl.com", "type": "Secondary"}]}, "published": "2024-03-25T22:37:19.847", "references": [{"source": "facts@wolfssl.com", "url": "https://github.com/wolfSSL/wolfssh/pull/670"}, {"source": "facts@wolfssl.com", "url": "https://github.com/wolfSSL/wolfssh/pull/671"}, {"source": "facts@wolfssl.com", "url": "https://www.wolfssl.com/docs/security-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wolfSSL/wolfssh/pull/670"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/wolfSSL/wolfssh/pull/671"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.wolfssl.com/docs/security-vulnerabilities/"}], "sourceIdentifier": "facts@wolfssl.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "facts@wolfssl.com", "type": "Secondary"}]}

{}