CVE-2024-5991

Name
CVE-2024-5991
Description
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://https://github.com/wolfSSL/wolfssl/pull/7604

Match rules

CPE URI Source package Min version Max version
wolfssl >= 0 <= 5.7.0
cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:* wolfssl >= 0 <= 5.7.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
wolfssl edge-community 5.7.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
wolfssl 3.20-community 5.7.0-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable