CVE-2020-24613: Improper Certificate Validation

August 24, 2020 (updated September 1, 2020)

wolfSSL mishandles TLS server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

References

nvd.nist.gov/vuln/detail/CVE-2020-24613

Code Behaviors & Features

Detect and mitigate CVE-2020-24613 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →