CVE-2020-27222
Last modified
CVE-2020-27222 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. EPSS estimates a 0.85% chance of exploitation in the next 30 days.
Description
In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Californium | >= 2.3.0, <= 2.6.0 |
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844Permissions Required, Vendor Advisory
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844Permissions Required, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-27222?
How severe is CVE-2020-27222?
How do I fix CVE-2020-27222?
Are you affected by CVE-2020-27222?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST