strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity (and intermediate CA) certificate that contains a CRL/OCSP URL that points to a server (under the attacker's control) that doesn't properly respond but (for example) just does nothing after the initial TCP handshake, or sends an excessive amount of application data.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
19 Jul 2023, 00:57
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:stormshield:stormshield_network_security:*:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
|
References |
|
01 Nov 2022, 14:12
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | (CONFIRM) https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html - Mitigation, Vendor Advisory | |
CWE | CWE-400 | |
CPE | cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:strongswan:strongswan:*:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:* cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:* |
31 Oct 2022, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-31 06:15
Updated : 2024-02-04 22:51
NVD link : CVE-2022-40617
Mitre link : CVE-2022-40617
CVE.ORG link : CVE-2022-40617
JSON object : View
Products Affected
strongswan
- strongswan
canonical
- ubuntu_linux
fedoraproject
- fedora
stormshield
- stormshield_network_security
debian
- debian_linux
CWE
CWE-400
Uncontrolled Resource Consumption