Vulnerability Description
Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state object exists. This is fixed in 4.6.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Libreswan | Libreswan | >= 4.2, < 4.6 |
| Fedoraproject | Fedora | 34 |
| Debian | Debian Linux | 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/libreswan/libreswan/issues/585ExploitIssue TrackingThird Party Advisory
- https://libreswan.org/security/CVE-2022-23094Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2022/dsa-5048Third Party Advisory
- https://github.com/libreswan/libreswan/issues/585ExploitIssue TrackingThird Party Advisory
- https://libreswan.org/security/CVE-2022-23094Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2022/dsa-5048Third Party Advisory
FAQ
What is CVE-2022-23094?
CVE-2022-23094 is a vulnerability with a CVSS score of 7.5 (HIGH). Libreswan 4.2 through 4.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted IKEv1 packet because pluto/ikev1.c wrongly expects that a state...
How severe is CVE-2022-23094?
CVE-2022-23094 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23094?
Check the references section above for vendor advisories and patch information. Affected products include: Libreswan Libreswan, Fedoraproject Fedora, Debian Debian Linux.