CVE-2019-11234

Name: CVE-2019-11234
Creator: NVD / NIST
Published: 2019-04-22T11:29:03.33+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.62%

Last modified Jun 17, 2026

CVE-2019-11234 is a vulnerability of currently unknown severity. FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.. EPSS estimates a 7.62% chance of exploitation in the next 30 days.

Description

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

Metrics

EPSS Probability

7.62%

93.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-287

Affected Software

Vendor	Product	Versions
Freeradius	Freeradius	< 3.0.19
Fedoraproject	Fedora	All versions
Redhat	Enterprise Linux	7.0
Canonical	Ubuntu Linux	18.04
Canonical	Ubuntu Linux	18.10
Canonical	Ubuntu Linux	19.04

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00033.html
https://access.redhat.com/errata/RHSA-2019:1131
https://access.redhat.com/errata/RHSA-2019:1142
https://bugzilla.redhat.com/show_bug.cgi?id=1695783Issue Tracking, Third Party Advisory
https://freeradius.org/release_notes/?br=3.0.x&re=3.0.19Release Notes, Vendor Advisory
https://freeradius.org/security/Vendor Advisory
https://papers.mathyvanhoef.com/dragonblood.pdfTechnical Description, Third Party Advisory
https://usn.ubuntu.com/3954-1/Third Party Advisory
https://www.kb.cert.org/vuls/id/871675/Not Applicable, Third Party Advisory, US Government Resource
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00014.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00033.html
https://access.redhat.com/errata/RHSA-2019:1131
https://access.redhat.com/errata/RHSA-2019:1142
https://bugzilla.redhat.com/show_bug.cgi?id=1695783Issue Tracking, Third Party Advisory
https://freeradius.org/release_notes/?br=3.0.x&re=3.0.19Release Notes, Vendor Advisory
https://freeradius.org/security/Vendor Advisory
https://papers.mathyvanhoef.com/dragonblood.pdfTechnical Description, Third Party Advisory
https://usn.ubuntu.com/3954-1/Third Party Advisory
https://www.kb.cert.org/vuls/id/871675/Not Applicable, Third Party Advisory, US Government Resource

Timeline

Published: Apr 22, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-11234?

FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

How severe is CVE-2019-11234?

Severity scoring for CVE-2019-11234 is pending analysis. The EPSS model estimates a 7.62% probability of exploitation in the next 30 days.

How do I fix CVE-2019-11234?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11234?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST