CVE-2022-25640: Improper Authentication

February 24, 2022 (updated August 8, 2023)

In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a requirement for mutual authentication. A client can simply omit the certificate_verify message from the handshake, and never present a certificate.

References

github.com/wolfSSL/wolfssl/pull/4831
nvd.nist.gov/vuln/detail/CVE-2022-25640

Detect and mitigate CVE-2022-25640 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →