CVE-2023-52160 (Medium) detected in multiple libraries

[mend-bolt-for-github[bot]]

CVE-2023-52160 - Medium Severity Vulnerability

Vulnerable Libraries - srcvendor/mport/2.6.1, srcvendor/mport/2.6.1, srcvendor/mport/2.6.1, srcvendor/mport/2.6.1

Vulnerability Details

The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.

Publish Date: 2024-02-22

URL: CVE-2023-52160

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52160

Release Date: 2024-02-22

Fix Resolution: 8e6485a1bcb0baffdea9e55255a81270b768439c

---

Step up your Open Source Security Game with Mend here

[laffer1]

Fixed in 09463a47fa7f78eedfe72d5eb10e88c5530febb3

[laffer1]

Documented as MNBSD-2024-0