![]() Sofia-SIP is an open-source SIP User-Agent library, compliant with the IETF RFC3261 specification. ![]() The SPDM specification (DSP0274) does not contain this vulnerability. Older branches are not maintained, but users of the 2.3 branch may receive a patch in version 2.3.2. The SPDM responder is not impacted if mutual authentication is not required. The SPDM responder is not impacted if `KEY_EX_CAP=0` or `PSK_CAP=0` or `PSK_CAP=01b`. This issue only impacts the SPDM responder, which supports `KEY_EX_CAP=1 and `PSK_CAP=10b` at same time with mutual authentication requirement. The session hashes would be expected to fail in this case, but the condition was not detected. ![]() This is most likely to happen when the Requester begins a session using one method (DHE, for example) and then uses the other method's finish (PSK_FINISH in this example) to establish the session. If a device supports both DHE session and PSK session with mutual authentication, the attacker may be able to establish the session with `KEY_EXCHANGE` and `PSK_FINISH` to bypass the mutual authentication. A vulnerability has been identified in SPDM session establishment in libspdm prior to version 2.3.1. Libspdm is a sample implementation that follows the DMTF SPDM specifications. In WFTPD 3.25, usernames and password hashes are stored in an openly viewable wftpd.ini configuration file within the WFTPD directory. ![]() Netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |