CVE-2019-11235

CRITICAL

FreeRADIUS < 3.0.19 - Insufficient Verification of Data Authenticity

Title source: llm
STIX 2.1

Description

FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.

References (11)

Core 11
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://freeradius.org/release_notes/?br=3.0.x&re=3.0.19
Technical Description, Third Party Advisory x_refsource_misc
https://papers.mathyvanhoef.com/dragonblood.pdf
Not Applicable, Third Party Advisory, US Government Resource x_refsource_misc
https://www.kb.cert.org/vuls/id/871675/
Vendor Advisory x_refsource_misc
https://freeradius.org/security/
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1695748
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3954-1/
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00014.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1131
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1142

Scores

CVSS v3 9.8
EPSS 0.0455
EPSS Percentile 89.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-345
Status published
Products (12)
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
canonical/ubuntu_linux 19.04
fedoraproject/fedora
freeradius/freeradius < 3.0.19
opensuse/leap 15.0
redhat/enterprise_linux 7.0
redhat/enterprise_linux_eus 7.6
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.6
... and 2 more
Published Apr 22, 2019
Tracked Since Feb 18, 2026