CVE-2022-23408
CRITICALwolfSSL 5.0.0-5.1.0 - Use of Insufficiently Random Values in AES-CBC and DES3 Connections
Title source: llmDescription
wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situations. This affects connections (without AEAD) using AES-CBC or DES3 with TLS 1.1 or 1.2 or DTLS 1.1 or 1.2. This occurs because of misplaced memory initialization in BuildMessage in internal.c.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/wolfSSL/wolfssl/pull/4710
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-511-jan-3rd-2022
Scores
CVSS v3
9.1
EPSS
0.0123
EPSS Percentile
64.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-330
Status
published
Products (1)
wolfssl/wolfssl
5.0.0 - 5.1.1
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026