CVE-2024-5814

Unverifed Ciphersuite used on a client-side TLS1.3 Downgrade

Description

A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500

INFO

Published Date :

2024-08-27T18:38:08.974Z

Last Modified :

2024-08-27T19:21:04.561Z

Source :

wolfSSL

AFFECTED PRODUCTS

The following products are affected by CVE-2024-5814 vulnerability.

Vendors	Products
Wolfssl	Wolfssl

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5814.

URL	Resource
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#add_later

CVSS Vulnerability Scoring System

V4
V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact