CVE-2021-34433: Improper Verification of Cryptographic Signature

August 20, 2021 (updated August 26, 2021)

In Eclipse Californium the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side’s signature on the client side, if that signature is not included in the server’s ServerKeyExchange.

References

bugs.eclipse.org/bugs/show_bug.cgi?id=575281
nvd.nist.gov/vuln/detail/CVE-2021-34433

Code Behaviors & Features

Detect and mitigate CVE-2021-34433 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →