CVE-2019-9498 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-9498 PUBLISHED

The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

EPSS 1.21% · 78.9th percentile

Risk Scores

EPSS Score

1.21%

78.9th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	wpa	0, 2.4-0ubuntu3, 2.4-0ubuntu4
Ubuntu:14.04:LTS	wpa	2.1-0ubuntu1.3, 2.1-0ubuntu1.4, 2.1-0ubuntu1.5
Ubuntu:18.04:LTS	wpa	0, 2.4-0ubuntu10, 2:2.4-1.1ubuntu1

Timeline

CVE Published
May 5, 2020 PoC Published
Apr 14, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Dec 17, 2024 EPSS Score
Mar 29, 2025 EPSS Score
Mar 30, 2025 EPSS Score
Apr 2, 2025 EPSS Score
Apr 3, 2025 EPSS Score
Apr 5, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-9498 third-party-advisory
https://w1.fi/security/2019-4/ third-party-advisory
https://ubuntu.com/security/notices/USN-3944-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-9498 third-party-advisory

Open in Interactive Console →