Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for Eclipse Californium by The Eclipse Foundation

    CVE-2022-2576 (GCVE-0-2022-2576)

    Vulnerability from nvd – Published: 2022-07-29 13:20 – Updated: 2024-08-03 00:39
    VLAI
    Summary
    In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
    Severity
    No CVSS data available.
    CWE
    • CWE-408 - Incorrect Behavior Order: Early Amplification
    Assigner
    References
    URL Tags
    https://bugs.eclipse.org/580018 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Californium Affected: 2.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 2.7.2 (custom)
    Affected: 3.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 3.5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:08.153Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/580018"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-408",
                  "description": "CWE-408: Incorrect Behavior Order: Early Amplification",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-29T13:20:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/580018"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2022-2576",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "2.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.7.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "3.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-408: Incorrect Behavior Order: Early Amplification"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/580018",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/580018"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2022-2576",
        "datePublished": "2022-07-29T13:20:10.000Z",
        "dateReserved": "2022-07-29T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:39:08.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-34433 (GCVE-0-2021-34433)

    Vulnerability from nvd – Published: 2021-08-20 17:10 – Updated: 2024-08-04 00:12
    VLAI
    Summary
    In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
    Severity
    No CVSS data available.
    CWE
    • CWE-322 - Key Exchange without Entity Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Californium Affected: 2.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 2.6.4 (custom)
    Affected: 3.0.0-M1 , < unspecified (custom)
    Affected: unspecified , ≤ 3.0.0-M3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:12:50.235Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.0.0-M1",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.0.0-M3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-322",
                  "description": "CWE-322: Key Exchange without Entity Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-20T17:10:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2021-34433",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "2.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.6.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "3.0.0-M1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.0.0-M3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-322: Key Exchange without Entity Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2021-34433",
        "datePublished": "2021-08-20T17:10:10.000Z",
        "dateReserved": "2021-06-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:12:50.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27222 (GCVE-0-2020-27222)

    Vulnerability from nvd – Published: 2021-02-03 15:45 – Updated: 2024-08-04 16:11
    VLAI
    Summary
    In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.
    Severity
    No CVSS data available.
    CWE
    • CWE-372 - Incomplete Internal State Distinction
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:11:36.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "[2.3.0, 2.6.0]"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-372",
                  "description": "CWE-372: Incomplete Internal State Distinction",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-03T16:36:38.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2020-27222",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "[2.3.0, 2.6.0]"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-372: Incomplete Internal State Distinction"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2020-27222",
        "datePublished": "2021-02-03T15:45:13.000Z",
        "dateReserved": "2020-10-19T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:11:36.000Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2576 (GCVE-0-2022-2576)

    Vulnerability from cvelistv5 – Published: 2022-07-29 13:20 – Updated: 2024-08-03 00:39
    VLAI
    Summary
    In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.
    Severity
    No CVSS data available.
    CWE
    • CWE-408 - Incorrect Behavior Order: Early Amplification
    Assigner
    References
    URL Tags
    https://bugs.eclipse.org/580018 x_refsource_CONFIRM
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Californium Affected: 2.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 2.7.2 (custom)
    Affected: 3.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 3.5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:39:08.153Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/580018"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.7.2",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.5.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-408",
                  "description": "CWE-408: Incorrect Behavior Order: Early Amplification",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-07-29T13:20:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/580018"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2022-2576",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "2.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.7.2"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "3.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-408: Incorrect Behavior Order: Early Amplification"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/580018",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/580018"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2022-2576",
        "datePublished": "2022-07-29T13:20:10.000Z",
        "dateReserved": "2022-07-29T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:39:08.153Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-34433 (GCVE-0-2021-34433)

    Vulnerability from cvelistv5 – Published: 2021-08-20 17:10 – Updated: 2024-08-04 00:12
    VLAI
    Summary
    In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side's signature on the client side, if that signature is not included in the server's ServerKeyExchange.
    Severity
    No CVSS data available.
    CWE
    • CWE-322 - Key Exchange without Entity Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    The Eclipse Foundation Eclipse Californium Affected: 2.0.0 , < unspecified (custom)
    Affected: unspecified , ≤ 2.6.4 (custom)
    Affected: 3.0.0-M1 , < unspecified (custom)
    Affected: unspecified , ≤ 3.0.0-M3 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T00:12:50.235Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "2.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "2.6.4",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                },
                {
                  "lessThan": "unspecified",
                  "status": "affected",
                  "version": "3.0.0-M1",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "3.0.0-M3",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-322",
                  "description": "CWE-322: Key Exchange without Entity Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-08-20T17:10:10.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2021-34433",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003e=",
                                "version_value": "2.0.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "2.6.4"
                              },
                              {
                                "version_affected": "\u003e=",
                                "version_value": "3.0.0-M1"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "3.0.0-M3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.0.0 to 2.6.4 and 3.0.0-M1 to 3.0.0-M3, the certificate based (x509 and RPK) DTLS handshakes accidentally succeeds without verifying the server side\u0027s signature on the client side, if that signature is not included in the server\u0027s ServerKeyExchange."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-322: Key Exchange without Entity Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=575281"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2021-34433",
        "datePublished": "2021-08-20T17:10:10.000Z",
        "dateReserved": "2021-06-09T00:00:00.000Z",
        "dateUpdated": "2024-08-04T00:12:50.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27222 (GCVE-0-2020-27222)

    Vulnerability from cvelistv5 – Published: 2021-02-03 15:45 – Updated: 2024-08-04 16:11
    VLAI
    Summary
    In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS.
    Severity
    No CVSS data available.
    CWE
    • CWE-372 - Incomplete Internal State Distinction
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:11:36.000Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Eclipse Californium",
              "vendor": "The Eclipse Foundation",
              "versions": [
                {
                  "status": "affected",
                  "version": "[2.3.0, 2.6.0]"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-372",
                  "description": "CWE-372: Incomplete Internal State Distinction",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-03T16:36:38.000Z",
            "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
            "shortName": "eclipse"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@eclipse.org",
              "ID": "CVE-2020-27222",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Eclipse Californium",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "[2.3.0, 2.6.0]"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "The Eclipse Foundation"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based (x509 and RPK) DTLS handshakes accidentally fails, because the DTLS server side sticks to a wrong internal state. That wrong internal state is set by a previous certificate based DTLS handshake failure with TLS parameter mismatch. The DTLS server side must be restarted to recover this. This allow clients to force a DoS."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-372: Incomplete Internal State Distinction"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844",
                  "refsource": "CONFIRM",
                  "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=570844"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "assignerShortName": "eclipse",
        "cveId": "CVE-2020-27222",
        "datePublished": "2021-02-03T15:45:13.000Z",
        "dateReserved": "2020-10-19T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:11:36.000Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }