CVSS 3.1 Score 9.1 of 10 (high)


Published Jul 17, 2023
Updated: Jul 28, 2023
CWE ID 295


CVE-2023-3724 is a cyber vulnerability that affects multiple products, including aD9sPw, aD9sPx, aD9sPy, and many others. This vulnerability occurs when a TLS 1.3 client connects to a malicious server without receiving a PSK (pre shared key) extension or a KSE (key share extension). In this scenario, a default predictable buffer is used for the Input Keying Material (IKM) value when generating the session master secret key. This can compromise the generated key and allow an eavesdropper to reconstruct it, potentially gaining access to or tampering with the session's message contents. While client validation of connected servers and private key information are not affected, organizations not controlling both sides of the connection may be at risk of insecure TLS 1.3 sessions. To remediate this vulnerability, wolfSSL recommends that TLS 1.3 client-side users update their version of wolfSSL used. The risk score for this vulnerability is rated at 67 out of 100, with a base severity level of CRITICAL and a base score of 9.1 according to CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.


Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2023-3724 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options