Total vulnerabilities in the database
In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.
| Software | From | Fixed in |
|---|---|---|
| strongswan / strongswan | 4.1.2 | 5.9.5 |
| debian / debian_linux | 9.0 | 9.0.x |
| debian / debian_linux | 10.0 | 10.0.x |
| debian / debian_linux | 11.0 | 11.0.x |
| fedoraproject / fedora | 34 | 34.x |
| fedoraproject / extra_packages_for_enterprise_linux | 8.0 | 8.0.x |
| fedoraproject / fedora | 35 | 35.x |
| fedoraproject / extra_packages_for_enterprise_linux | 9.0 | 9.0.x |
| fedoraproject / extra_packages_for_enterprise_linux | 7.0 | 7.0.x |
| canonical / ubuntu_linux | 18.04 | 18.04.x |
| canonical / ubuntu_linux | 14.04 | 14.04.x |
| canonical / ubuntu_linux | 20.04 | 20.04.x |
| canonical / ubuntu_linux | 16.04 | 16.04.x |
| canonical / ubuntu_linux | 21.10 | 21.10.x |