UBUNTU-CVE-2019-9498
See a problem?- Source
- https://ubuntu.com/security/notices/UBUNTU-CVE-2019-9498
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-9498.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-9498
- Related
- Published
- 2019-04-10T15:00:00Z
- Modified
- 2019-04-10T15:00:00Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit. An attacker may be able to use invalid scalar/element values to complete authentication, gaining session key and network access without needing or learning the password. Both hostapd with SAE support and wpasupplicant with SAE support prior to and including version 2.4 are affected. Both hostapd with EAP-pwd support and wpasupplicant with EAP-pwd support prior to and including version 2.7 are affected.
- References
Affected packages
Ubuntu:14.04:LTS / wpa
Package
- Name
- wpa
- Purl
- pkg:deb/ubuntu/wpa@2.1-0ubuntu1.7?arch=src?distro=trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.1-0ubuntu1.7
Affected versions
1.*
1.0-3ubuntu2
1.0-3ubuntu3
1.0-3ubuntu4
2.*
2.1-0ubuntu1
2.1-0ubuntu1.1
2.1-0ubuntu1.2
2.1-0ubuntu1.3
2.1-0ubuntu1.4
2.1-0ubuntu1.5
2.1-0ubuntu1.6
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"hostapd-dbgsym": "1:2.1-0ubuntu1.7",
"wpasupplicant-udeb": "2.1-0ubuntu1.7",
"wpagui-dbgsym": "2.1-0ubuntu1.7",
"hostapd": "1:2.1-0ubuntu1.7",
"wpagui": "2.1-0ubuntu1.7",
"wpasupplicant": "2.1-0ubuntu1.7",
"wpasupplicant-udeb-dbgsym": "2.1-0ubuntu1.7",
"wpasupplicant-dbgsym": "2.1-0ubuntu1.7"
}
]
}
Ubuntu:16.04:LTS / wpa
Package
- Name
- wpa
- Purl
- pkg:deb/ubuntu/wpa@2.4-0ubuntu6.4?arch=src?distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4-0ubuntu6.4
Affected versions
2.*
2.4-0ubuntu3
2.4-0ubuntu4
2.4-0ubuntu5
2.4-0ubuntu6
2.4-0ubuntu6.2
2.4-0ubuntu6.3
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"hostapd-dbgsym": "1:2.4-0ubuntu6.4",
"wpasupplicant-udeb": "2.4-0ubuntu6.4",
"wpagui-dbgsym": "2.4-0ubuntu6.4",
"hostapd": "1:2.4-0ubuntu6.4",
"wpagui": "2.4-0ubuntu6.4",
"wpasupplicant": "2.4-0ubuntu6.4",
"wpasupplicant-udeb-dbgsym": "2.4-0ubuntu6.4",
"wpasupplicant-dbgsym": "2.4-0ubuntu6.4"
}
]
}
Ubuntu:18.04:LTS / wpa
Package
- Name
- wpa
- Purl
- pkg:deb/ubuntu/wpa@2:2.6-15ubuntu2.2?arch=src?distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2:2.6-15ubuntu2.2
Affected versions
2.*
2.4-0ubuntu10
2:2.*
2:2.4-1.1ubuntu1
2:2.6-15ubuntu1
2:2.6-15ubuntu2
2:2.6-15ubuntu2.1
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"hostapd-dbgsym": "2:2.6-15ubuntu2.2",
"wpasupplicant-udeb": "2:2.6-15ubuntu2.2",
"wpagui-dbgsym": "2:2.6-15ubuntu2.2",
"hostapd": "2:2.6-15ubuntu2.2",
"wpagui": "2:2.6-15ubuntu2.2",
"wpasupplicant": "2:2.6-15ubuntu2.2",
"wpasupplicant-dbgsym": "2:2.6-15ubuntu2.2"
}
]
}