CVE-2014-2897

moderate-risk
Published 2020-01-28

The SSL 3 HMAC functionality in wolfSSL CyaSSL 2.5.0 before 2.9.4 does not check the padding length when verification fails, which allows remote attackers to have unspecified impact via a crafted HMAC, which triggers an out-of-bounds read.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Wolfssl

References (8)

Mailing List http://seclists.org/oss-sec/2014/q2/126
Mailing List http://seclists.org/oss-sec/2014/q2/130
Vendor Advisory http://www.wolfssl.com/yaSSL/Blog/Entries/2014/4/11_wolfSSL_Security_Advisory__A...
Vendor Advisory http://www.wolfssl.com/yaSSL/Docs-cyassl-changelog.html
Mailing List http://seclists.org/oss-sec/2014/q2/126
Mailing List http://seclists.org/oss-sec/2014/q2/130
Vendor Advisory http://www.wolfssl.com/yaSSL/Blog/Entries/2014/4/11_wolfSSL_Security_Advisory__A...
Vendor Advisory http://www.wolfssl.com/yaSSL/Docs-cyassl-changelog.html
40
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 3/34 · Minimal
Exposure 5/34 · Minimal