Your submission was sent successfully! Close

CVE-2021-45079

Published: 24 January 2022

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Priority

High

CVSS 3 base score: 9.1

Status

Package Release Status
strongswan
Launchpad, Ubuntu, Debian
bionic
Released (5.6.2-1ubuntu2.8)
focal
Released (5.8.2-1ubuntu3.4)
hirsute Ignored
(reached end-of-life)
impish
Released (5.9.1-1ubuntu3.2)
jammy
Released (5.9.4-1ubuntu4)
trusty
Released (5.1.2-0ubuntu2.11+esm2)
upstream
Released (5.9.5)
xenial
Released (5.3.5-1ubuntu3.8+esm2)