CVE-2021-45079
CRITICALstrongSwan < 5.9.5 - Unauthenticated EAP-Success Spoofing via Early Response
Title source: llmDescription
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
References (1)
Core 1
Core References
Various Sources x_refsource_misc
https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html
Scores
CVSS v3
9.1
EPSS
0.0011
EPSS Percentile
29.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (14)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
20.04
canonical/ubuntu_linux
21.10
debian/debian_linux
9.0
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/extra_packages_for_enterprise_linux
7.0
fedoraproject/extra_packages_for_enterprise_linux
8.0
... and 4 more
Published
Jan 31, 2022
Tracked Since
Feb 18, 2026