CVE-2023-38712

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-38712
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-38712.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-38712
Related
Published
2023-08-25T21:15:08Z
Modified
2024-06-09T20:04:41.393041Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in Libreswan 3.x and 4.x before 4.12. When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a NULL pointer dereference on the deleted state causes the pluto daemon to crash and restart.

References

Affected packages

Debian:11 / libreswan

Package

Name
libreswan
Purl
pkg:deb/debian/libreswan?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.3-1
4.3-1+deb11u1
4.3-1+deb11u3
4.3-1+deb11u4
4.5-1
4.5-2
4.6-1
4.7-1
4.9-1
4.9-2
4.10-1
4.10-2
4.11-1
4.12-1
4.12-2
4.12-3
4.14-1

5.*

5.0~rc2-1
5.0~rc2-2

Ecosystem specific

{
    "urgency": "end-of-life"
}

Git / github.com/libreswan/libreswan

Affected ranges

Type
GIT
Repo
https://github.com/libreswan/libreswan
Events

Affected versions

debian/3.*

debian/3.18-1
debian/3.19-1
debian/3.19-2
debian/3.20-1
debian/3.20-2
debian/3.20-3
debian/3.20-4
debian/3.20-5
debian/3.20-6
debian/3.20-7
debian/3.21-1
debian/3.21_rc2-1
debian/3.21_rc5-1

v3.*

v3.0
v3.1
v3.10
v3.10dr1
v3.10rc1
v3.10rc2
v3.11
v3.11dr1
v3.12
v3.12rc1
v3.14
v3.14rc1
v3.14rc2
v3.14rc3
v3.15
v3.16
v3.16rc2
v3.16rc3
v3.17
v3.18
v3.18dr2
v3.18dr3
v3.19
v3.2
v3.20
v3.20dr3
v3.20dr4
v3.21
v3.21_rc2
v3.21_rc5
v3.21rc2
v3.21rc5
v3.22
v3.22dr1
v3.25
v3.26
v3.27
v3.28
v3.2rc1
v3.3
v3.30
v3.4
v3.5
v3.6
v3.7
v3.8
v3.9
v3.9rc1