VDB

CVE-2024-5991

CVE-2024-5991 PUBLISHED CVSS 10 CRITICAL

In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.

EPSS 0.11% · 29.1th percentile

Risk Scores

CVSS v4.0
10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
EPSS Score
0.11%
29.1th percentile

Affected Products

VendorProductVersions
wolfsslwolfssl0
wolfSSLwolfSSL0
wolfsslwolfssl0

Timeline

  • Jan 20, 1970 Fix PR Merged
  • Aug 27, 2024 CVE Published
  • Aug 27, 2024 CVE Updated
  • Aug 28, 2024 EPSS Score
  • Sep 17, 2024 EPSS Score
  • Oct 5, 2024 Coalition ESS Score
  • Oct 8, 2024 EPSS Score
  • Oct 28, 2024 EPSS Score
  • Nov 17, 2024 EPSS Score
  • Dec 8, 2024 EPSS Score
  • Dec 29, 2024 EPSS Score
  • Jan 18, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›