Details of VAR-202108-1786

ID

VAR-202108-1786

CVE

CVE-2021-34433

TITLE

Eclipse Californium Digital Signature Verification Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2021-012352

DESCRIPTION

In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange. Eclipse Californium Exists in a digital signature verification vulnerability.Information may be tampered with. Eclipse Californium is a Java-based code library of the Eclipse Foundation that provides Coap back-end support for the Internet of Things. Eclipse Californium has a data forgery vulnerability. The following products and versions are affected: Eclipse Californium 2.0.0 to 2.6.4 versions, Eclipse Californium 3.0.0-M1 to 3.0.0-M3 versions

Trust: 2.25

sources: NVD: CVE-2021-34433 // JVNDB: JVNDB-2021-012352 // CNNVD: CNNVD-202108-1804 // VULMON: CVE-2021-34433

AFFECTED PRODUCTS

vendor:	eclipse	model:	californium	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	lt	version:	2.6.5	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	eclipse	model:	californium	scope:	eq	version:	3.0.0-m1 to 3.0.0-m3	Trust: 0.8
vendor:	eclipse	model:	californium	scope:	eq	version:	2.0.0 to 2.6.4	Trust: 0.8
vendor:	eclipse	model:	californium	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2021-012352 // NVD: CVE-2021-34433

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-34433
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-34433
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202108-1804
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-34433
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-34433
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

nvd@nist.gov:	CVE-2021-34433
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-34433
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULMON: CVE-2021-34433 // JVNDB: JVNDB-2021-012352 // CNNVD: CNNVD-202108-1804 // NVD: CVE-2021-34433

PROBLEMTYPE DATA

problemtype:	CWE-322	Trust: 1.0
problemtype:	CWE-347	Trust: 1.0
problemtype:	Improper verification of digital signatures (CWE-347) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-012352 // NVD: CVE-2021-34433

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202108-1804

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-202108-1804

PATCH

title:	Bug 575281	url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281	Trust: 0.8
title:	Eclipse Californium Repair measures for data forgery problem vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=160817	Trust: 0.6

sources: JVNDB: JVNDB-2021-012352 // CNNVD: CNNVD-202108-1804

EXTERNAL IDS

db:	NVD	id:	CVE-2021-34433	Trust: 3.3
db:	JVNDB	id:	JVNDB-2021-012352	Trust: 0.8
db:	CNNVD	id:	CNNVD-202108-1804	Trust: 0.6
db:	VULMON	id:	CVE-2021-34433	Trust: 0.1

sources: VULMON: CVE-2021-34433 // JVNDB: JVNDB-2021-012352 // CNNVD: CNNVD-202108-1804 // NVD: CVE-2021-34433

REFERENCES

url:	https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2021-34433	Trust: 1.4
url:	https://cwe.mitre.org/data/definitions/347.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2021-34433 // JVNDB: JVNDB-2021-012352 // CNNVD: CNNVD-202108-1804 // NVD: CVE-2021-34433

SOURCES

db:	VULMON	id:	CVE-2021-34433
db:	JVNDB	id:	JVNDB-2021-012352
db:	CNNVD	id:	CNNVD-202108-1804
db:	NVD	id:	CVE-2021-34433

LAST UPDATE DATE

2024-08-14T15:11:48.828000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2021-34433	date:	2021-08-26T00:00:00
db:	JVNDB	id:	JVNDB-2021-012352	date:	2022-08-30T03:16:00
db:	CNNVD	id:	CNNVD-202108-1804	date:	2021-08-27T00:00:00
db:	NVD	id:	CVE-2021-34433	date:	2021-08-26T14:02:34.797

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2021-34433	date:	2021-08-20T00:00:00
db:	JVNDB	id:	JVNDB-2021-012352	date:	2022-08-30T00:00:00
db:	CNNVD	id:	CNNVD-202108-1804	date:	2021-08-20T00:00:00
db:	NVD	id:	CVE-2021-34433	date:	2021-08-20T17:15:07.687