CVE-2022-25638: Improper Certificate Validation

February 24, 2022 (updated March 4, 2022)

In wolfSSL before 5.2.0, certificate validation may be bypassed during attempted authentication by a TLS 1.3 client to a TLS 1.3 server. This occurs when the sig_algo field differs between the certificate_verify message and the certificate message.

References

github.com/wolfSSL/wolfssl/pull/4813
nvd.nist.gov/vuln/detail/CVE-2022-25638
www.wolfssl.com/docs/security-vulnerabilities/

Code Behaviors & Features

Detect and mitigate CVE-2022-25638 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →