Skip to main content

Strongswan Vpn Client CVE-2015-4171

LOW
Information Exposure (CWE-200)
2015-06-10 cve@mitre.org
2.6
CVSS 2.0 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:N/AC:H/Au:N/C:P/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:H/Au:N/C:P/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Confidentiality
P
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 10, 2015 - 18:59 cve.org
LOW 2.6

DescriptionCVE.org

strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses.

AnalysisAI

strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses. Affected products include: Strongswan Strongswan Vpn Client, Canonical Ubuntu Linux, Debian Debian Linux, Strongswan. Version information: through 5..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

Share

CVE-2015-4171 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy