CVE-2015-4145
Advisory lineage Upstream: 0 Downstream: 6
Modified
Published: 15 Jun 2015, 15:00
Last modified:06 Aug 2024, 06:04
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
5 MEDIUM
v2.0 (nvd)
EPSS Score
1.21% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
15 Jun 2015, 15:00
Published
Vulnerability first disclosed
06 Aug 2024, 06:04
Last Modified
Vulnerability information updated
Description
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.
CVSS Metrics
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 1.21%• Percentile: 79%
Techniques & Countermeasures
- CWE-399•Resource Management Errors
Weaknesses in this category are related to improper management of system resources.
Affected Systems
- opensuse•opensuse
13.1 | 13.2
- w1.fi•hostapd
1.0 | 1.1 | 2.0 | 2.1 | 2.2 | 2.3 | 2.4
- w1.fi•wpa_supplicant
1.0 | 1.1 | 2.0 | 2.1 | 2.2 | 2.3 | 2.4
References (7)
- http://www.openwall.com/lists/oss-security/2015/05/31/6
- http://www.debian.org/security/2015/dsa-3397
- https://security.gentoo.org/glsa/201606-17
- http://www.ubuntu.com/usn/USN-2650-1
- http://w1.fi/security/2015-4/eap-pwd-missing-payload-length-validation.txt
- http://lists.opensuse.org/opensuse-updates/2015-06/msg00019.html
- http://www.openwall.com/lists/oss-security/2015/05/09/6