Your submission was sent successfully! Close

CVE-2019-9499

Published: 10 April 2019

The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may complete authentication, session key and control of the data connection with a client. Both hostapd with SAE support and wpa_supplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpa_supplicant with EAP-pwd support prior to and including version 2.7 are affected.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
wpa
Launchpad, Ubuntu, Debian
bionic
Released (2:2.6-15ubuntu2.2)
cosmic
Released (2:2.6-18ubuntu1.1)
disco
Released (2:2.6-21ubuntu3)
precise Does not exist

trusty
Released (2.1-0ubuntu1.7)
upstream
Released (2.8)
xenial
Released (2.4-0ubuntu6.4)
wpasupplicant
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Not vulnerable
(code not-present)
trusty Does not exist

upstream Needs triage

xenial Does not exist