Home > Vulnerability Database > CVE-2023-26463

Mend.io Vulnerability Database

CVE-2023-26463

Good to know:

Date: April 14, 2023

strongSwan 5.9.8 and 5.9.9 potentially allows remote code execution because it uses a variable named "public" for two different purposes within the same function. There is initially incorrect access control, later followed by an expired pointer dereference. One attack vector is sending an untrusted client certificate during EAP-TLS. A server is affected only if it loads plugins that implement TLS-based EAP methods (EAP-TLS, EAP-TTLS, EAP-PEAP, or EAP-TNC). This is fixed in 5.9.10.

Language: C

Severity Score

9.8

Related Resources (6)

Url: https://github.com/strongswan/strongswan/releases

Url: https://security.netapp.com/advisory/ntap-20230517-0010/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26463

Url: https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-%28cve-2023-26463%29.html

Url: https://security-tracker.debian.org/tracker/CVE-2023-26463

Url: https://www.mend.io/vulnerability-database/CVE-2023-26463

Severity Score

9.8

Weakness Type (CWE)

Improper Certificate Validation

CWE-295

NULL Pointer Dereference

CWE-476

Top Fix

Upgrade Version

Upgrade to version 5.9.8,android-2.4.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26463

Good to know:

Date: April 14, 2023

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?