Candidate: CVE-2022-25638
PublicDate: 2022-02-24 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25638
 https://github.com/wolfSSL/wolfssl/pull/4813
 https://github.com/wolfSSL/wolfssl/commit/e13861bcde8015bb99ddb034224afb66e2fb89b8 (v5.2.0-stable)
 https://github.com/wolfSSL/wolfssl/commit/08047b2d959ee5e21a4a2c672308f45fec61f059 (v5.2.0-stable)
Description:
 In wolfSSL before 5.2.0, certificate validation may be bypassed during
 attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This
 occurs when the sig_algo field differs between the certificate_verify
 message and the certificate message.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_wolfssl:
upstream_wolfssl: released (5.2.0-1)
trusty_wolfssl: ignored (out of standard support)
xenial_wolfssl: ignored (out of standard support)
bionic_wolfssl: needs-triage
focal_wolfssl: needs-triage
impish_wolfssl: needs-triage
jammy_wolfssl: needs-triage
devel_wolfssl: needs-triage