CVE-2023-6937

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Feb 15, 2024
CWE ID 20

Summary

CVE-2023-6937 affects wolfSSL prior to version 5.6.6 and involves a failure to check message boundaries in (D)TLS records. This vulnerability could allow an attacker to combine (D)TLS messages using different keys into a single record, with the most severe scenario being an unencrypted (D)TLS 1.3 record from the server containing a ServerHello message and the rest of the first server flight being accepted by a wolfSSL client. Although it does not compromise key negotiation or authentication, it is still considered a low severity issue as the handshake is encrypted after the ServerHello message in (D)TLS 1.3.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share