VDB
CVE-2022-23094
CVE-2022-23094
PUBLISHED
CVSS 7.5 HIGH
Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.
EPSS 1.48% · 81.3th percentile
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
1.48%
81.3th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fedoraproject | fedora | 34, 35 |
| debian | debian_linux | 10.0 |
| libreswan | libreswan | 4.2 |
| n/a | n/a | n/a |
Timeline
- Jan 15, 2022 CVE Published
- Feb 8, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 24, 2022 EPSS Score
- Sep 7, 2022 EPSS Score
- Oct 29, 2022 EPSS Score
- Dec 20, 2022 EPSS Score
- Feb 11, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 26, 2023 EPSS Score
- Jul 18, 2023 EPSS Score
- Sep 8, 2023 EPSS Score
References
- https://libreswan.org/security/CVE-2022-23094 url
- https://github.com/libreswan/libreswan/issues/585 url
- DSA-5048 vendor-advisory
- FEDORA-2022-a4bca77f88 vendor-advisory
- FEDORA-2022-42e0892147 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2022-23094 advisory
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HPMIHAXWQUJAPCIGNJ5J5Q6ASWQBU7T5 url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UFZ7WP5LNNBW5ADIOPDSPQ23SXZJRNMP url