2157831 – (CVE-2022-48195) CVE-2022-48195 mellium.im/sasl: insufficient randomness during authentication

Bug 2157831 (CVE-2022-48195) - CVE-2022-48195 mellium.im/sasl: insufficient randomness during authentication

Summary: CVE-2022-48195 mellium.im/sasl: insufficient randomness during authentication

Keywords:
Status:	NEW
Alias:	CVE-2022-48195
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2157256
TreeView+	depends on / blocked

Reported:	2023-01-03 06:58 UTC by Avinash Hanwate
Modified:	2023-07-07 08:30 UTC (History)
CC List:	11 users (show)
Fixed In Version:	mellium.im/sasl 0.3.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-01-03 06:58:00 UTC

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

https://mellium.im/cve/cve-2022-48195/

Note You need to log in before you can comment on or make changes to this bug.