CVE-2021-45079

In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.

Database specific

{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "14.04"
                },
                {
                    "last_affected": "16.04"
                },
                {
                    "last_affected": "18.04"
                },
                {
                    "last_affected": "20.04"
                },
                {
                    "last_affected": "21.10"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "canonical:ubuntu_linux",
            "cpes": [
                "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
                "cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "9.0"
                },
                {
                    "last_affected": "10.0"
                },
                {
                    "last_affected": "11.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "debian:debian_linux",
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "7.0"
                },
                {
                    "last_affected": "8.0"
                },
                {
                    "last_affected": "9.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "fedoraproject:extra_packages_for_enterprise_linux",
            "cpes": [
                "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "extracted_events": [
                {
                    "last_affected": "34"
                },
                {
                    "last_affected": "35"
                }
            ],
            "vendor_product": "fedoraproject:fedora",
            "cpes": [
                "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"
            ],
            "source": "CPE_STRING"
        }
    ]
}

References

https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html

Affected packages

Git / github.com/strongswan/strongswan

Affected ranges

Type

GIT

Repo

https://github.com/strongswan/strongswan

Events

Introduced

5fc278edf3795ce7eb2ff11195797f481ede0d77

Fixed

57d6e96943ae583367ae47e08edf1c43013f1bdc

Database specific

{
    "cpe": "cpe:2.3:a:strongswan:strongswan:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "4.1.2"
        },
        {
            "fixed": "5.9.5"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

4.*

4.1.10

4.1.11

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2.0

4.2.1

4.2.10

4.2.11

4.2.12

4.2.13

4.2.14

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.5rc1

4.3.6

4.4.0

4.4.1

4.5.0

4.5.1

4.5.2

4.5.3

4.6.0

4.6.1

4.6.2

4.6.3

5.*

5.0.0

5.0.1

5.0.2

5.0.2dr4

5.0.2rc1

5.0.3

5.0.3dr1

5.0.3dr2

5.0.3dr3

5.0.3rc1

5.0.4

5.1.0

5.1.0dr1

5.1.0dr2

5.1.0rc1

5.1.1

5.1.1dr1

5.1.1dr2

5.1.1dr3

5.1.1dr4

5.1.1rc1

5.1.2

5.1.2.dr2

5.1.2dr1

5.1.2dr3

5.1.2rc1

5.1.2rc2

5.1.3

5.1.3dr1

5.1.3rc1

5.2.0

5.2.0dr1

5.2.0dr2

5.2.0dr3

5.2.0dr4

5.2.0dr5

5.2.0dr6

5.2.0rc1

5.2.1

5.2.1dr1

5.2.1rc1

5.2.2

5.2.2dr1

5.2.2rc1

5.3.0

5.3.0dr1

5.3.0rc1

5.3.1

5.3.1dr1

5.3.1rc1

5.3.2

5.3.3

5.3.3dr1

5.3.3dr3

5.3.3dr4

5.3.3dr5

5.3.3dr6

5.3.3rc2

5.3.4

5.3.4dr1

5.3.4dr2

5.3.4dr3

5.3.4rc1

5.3.5

5.4.0

5.4.0dr1

5.4.0dr2

5.4.0dr3

5.4.0dr4

5.4.0dr5

5.4.0dr6

5.4.0dr7

5.4.0dr8

5.4.0rc1

5.4.1dr1

5.4.1dr2

5.4.1dr3

5.4.1dr4

5.5.0

5.5.0dr1

5.5.0rc1

5.5.1

5.5.1dr1

5.5.1dr2

5.5.1dr3

5.5.1dr4

5.5.1dr5

5.5.1rc1

5.5.1rc2

5.5.2

5.5.2dr1

5.5.2dr2

5.5.2dr3

5.5.2dr4

5.5.2dr5

5.5.2dr6

5.5.2dr7

5.5.2rc1

5.5.3

5.5.3dr1

5.5.3dr2

5.6.0

5.6.0dr1

5.6.0dr2

5.6.0dr3

5.6.0dr4

5.6.0rc1

5.6.0rc2

5.6.1

5.6.1dr1

5.6.1dr2

5.6.1dr3

5.6.1rc1

5.6.2

5.6.2dr1

5.6.2dr2

5.6.2dr3

5.6.2dr4

5.6.2rc1

5.6.3

5.6.3dr1

5.6.3dr2

5.6.3rc1

5.7.0

5.7.0dr1

5.7.0dr2

5.7.0dr3

5.7.0dr4

5.7.0dr5

5.7.0dr6

5.7.0dr8

5.7.0rc1

5.7.0rc2

5.7.1

5.7.2

5.7.2dr1

5.7.2dr2

5.7.2dr3

5.7.2dr4

5.7.2rc1

5.8.0

5.8.0dr2

5.8.0rc1

5.8.1

5.8.1dr1

5.8.1rc2

5.8.2

5.8.2dr1

5.8.2dr2

5.8.2rc1

5.8.2rc2

5.8.3

5.8.3rc1

5.8.4

5.9.0

5.9.0dr1

5.9.0dr2

5.9.0rc1

5.9.1

5.9.1dr1

5.9.1rc1

5.9.2

5.9.2dr1

5.9.2dr2

5.9.2rc1

5.9.2rc2

5.9.3

5.9.3dr1

5.9.3dr2

5.9.3dr3

5.9.3dr4

5.9.3rc1

5.9.4

5.9.4dr1

5.9.4dr2

5.9.4dr3

5.9.4rc1

5.9.5dr1

5.9.5dr2

5.9.5dr3

5.9.5dr4

5.9.5rc1

android-2.*

android-2.3.3

android-2.3.3-1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45079.json"