Key Exchange without Entity Authentication

CVE-2021-34433

High

7.5/10

Summary

In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-322 - Key Exchange without Entity Authentication

The software performs a key exchange with an actor without verifying the identity of that actor.

References

Advisory Timeline

Published Aug 20, 2021

Key Exchange without Entity Authentication

CVE-2021-34433

Summary

CWE-322 - Key Exchange without Entity Authentication

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS