CVE-2019-13456

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-13456
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13456.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-13456
Downstream
Related
Published
2019-12-03T20:15:11.013Z
Modified
2026-02-16T10:16:24.264319Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This information leakage is similar to the "Dragonblood" attack and CVE-2019-9494.

References

Affected packages

Git / github.com/freeradius/freeradius-server

Affected ranges

Type
GIT
Repo
https://github.com/freeradius/freeradius-server
Events
Introduced
580424ea12feeb5933f1aaac33fd5f9e2fa2ee60
Last affected
ab4c767099f263a7cd4109bcdca80ee74210a769

Affected versions

release_3.*
release_3.0.8
Other
release_3_0_0
release_3_0_1
release_3_0_10
release_3_0_11
release_3_0_12
release_3_0_13
release_3_0_14
release_3_0_15
release_3_0_16
release_3_0_17
release_3_0_18
release_3_0_19
release_3_0_2
release_3_0_3
release_3_0_4_rc0
release_3_0_4_rc1
release_3_0_4_rc2
release_3_0_5
release_3_0_6
release_3_0_7
release_3_0_8
release_3_0_9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13456.json"