Home > Vulnerability Database > CVE-2023-38710

Mend.io Vulnerability Database

CVE-2023-38710

Good to know:

Date: August 25, 2023

An issue was discovered in Libreswan before 4.12. When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payload's protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. NOTE: the earliest affected version is 3.20.

Language: C

Severity Score

6.5

Related Resources (8)

Url: https://github.com/libreswan/libreswan/commit/94543f8b1f5cdfe299c1b1291bd388e071faaffc

Url: https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt

Url: https://access.redhat.com/security/cve/CVE-2023-38710

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-38710

Url: https://security-tracker.debian.org/tracker/CVE-2023-38710

Url: https://libreswan.org/security/CVE-2023-38710/

Url: https://github.com/libreswan/libreswan/tags

Url: https://www.mend.io/vulnerability-database/CVE-2023-38710

Severity Score

6.5

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v4.12

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-38710

Good to know:

Date: August 25, 2023

Language: C

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?