First published: Thu Feb 24 2022(Updated: )
In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
WolfSSL wolfssl | <5.2.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-25638 is a vulnerability in wolfSSL before 5.2.0 that allows certificate validation to be bypassed during attempted authentication.
CVE-2022-25638 impacts wolfSSL by allowing a TLS 1.3 client to bypass certificate validation during authentication.
The severity of CVE-2022-25638 is medium, with a severity value of 6.5.
You can fix CVE-2022-25638 by updating wolfSSL to version 5.2.0 or higher.
Yes, you can find references for CVE-2022-25638 at the following links: [GitHub](https://github.com/wolfSSL/wolfssl/pull/4813) and [wolfSSL website](https://www.wolfssl.com/docs/security-vulnerabilities/).