How severe is CVE-2020-24613?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.8 out of 10.

What type of vulnerability is CVE-2020-24613?

This is classified as CWE-295, which is a common weakness in software security.

CVE-2020-24613 - MEDIUM Severity | CVSS 6.8

Vulnerability Description

wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_CR state, within SanityCheckTls13MsgReceived() in tls13.c. This is an incorrect implementation of the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers, and read or modify potentially sensitive information between clients using the wolfSSL library and these TLS servers.

Related Vulnerabilities

CVE-2006-7246

MEDIUM

CVSS:6.8(Medium)

NetworkManager 0.9.x does not pin a certificate's subject to an ESSID when 802.11X authentication is used.

CWE-2952006

CVE-2015-4100

MEDIUM

CVSS:6.8(Medium)

Puppet Enterprise 3.7.x and 3.8.0 might allow remote authenticated users to manage certificates for arbitrary nodes by leveraging a client certificate trusted by the master, aka a "Certificate Authori...

CWE-2952015

CVE-2017-3182

MEDIUM

CVSS:6.8(Medium)

On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail to validate SSL certificates provided by HTTPS connections, which may allow an attacker to perform a man-in-the-middle (MITM) attac...

CWE-2952017

CVE-2018-12205

MEDIUM

CVSS:6.8(Medium)

Improper certificate validation in Platform Sample/ Silicon Reference firmware for 8th Generation Intel(R) Core(tm) Processor, 7th Generation Intel(R) Core(tm) Processor may allow an unauthenticated u...

CWE-2952018

CVE-2018-16261

MEDIUM

CVSS:6.8(Medium)

In Pulse Secure Pulse Desktop Client 5.3RX before 5.3R5 and 9.0R1, there is a Privilege Escalation Vulnerability with Dynamic Certificate Trust.

CWE-2952018

CVE-2019-3814

MEDIUM

CVSS:6.8(Medium)

It was discovered that Dovecot before versions 2.2.36.1 and 2.3.4.1 incorrectly handled client certificates. A remote attacker in possession of a valid certificate with an empty username field could p...

CWE-2952019