CVE-2020-24613: Improper Certificate Validation
(updated )
wolfSSL mishandles TLS server data in the WAIT_CERT_CR
state, within SanityCheckTls13MsgReceived()
in tls13.c
. This is an incorrect implementation of the TLS client state machine. This allows attackers in a privileged network position to completely impersonate any TLS servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.
References
Detect and mitigate CVE-2020-24613 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →