CVE-2024-2873

A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wolfSSL/wolfssh/pull/670	Issue Tracking
https://github.com/wolfSSL/wolfssh/pull/671	Issue Tracking
https://www.wolfssl.com/docs/security-vulnerabilities/	Vendor Advisory
https://github.com/wolfSSL/wolfssh/pull/670	Issue Tracking
https://github.com/wolfSSL/wolfssh/pull/671	Issue Tracking
https://www.wolfssl.com/docs/security-vulnerabilities/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-03-25 22:37

Updated : 2025-12-05 20:09

NVD link : CVE-2024-2873

Mitre link : CVE-2024-2873

CVE.ORG link : CVE-2024-2873

JSON object : View

Products Affected

wolfssh

wolfssh

CWE

CWE-287

Improper Authentication

{"id": "CVE-2024-2873", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "facts@wolfssl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-03-25T22:37:19.847", "references": [{"url": "https://github.com/wolfSSL/wolfssh/pull/670", "tags": ["Issue Tracking"], "source": "facts@wolfssl.com"}, {"url": "https://github.com/wolfSSL/wolfssh/pull/671", "tags": ["Issue Tracking"], "source": "facts@wolfssl.com"}, {"url": "https://www.wolfssl.com/docs/security-vulnerabilities/", "tags": ["Vendor Advisory"], "source": "facts@wolfssl.com"}, {"url": "https://github.com/wolfSSL/wolfssh/pull/670", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/wolfSSL/wolfssh/pull/671", "tags": ["Issue Tracking"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wolfssl.com/docs/security-vulnerabilities/", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "facts@wolfssl.com", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in wolfSSH's server-side state machine before versions 1.4.17. A malicious client could create channels without first performing user authentication, resulting in unauthorized access.\n"}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en la m\u00e1quina de estado del lado del servidor de wolfSSH antes de las versiones 1.4.17. Un cliente malintencionado podr\u00eda crear canales sin realizar primero la autenticaci\u00f3n del usuario, lo que provocar\u00eda un acceso no autorizado."}], "lastModified": "2025-12-05T20:09:27.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F84F99B-681F-43B2-BEA5-B3ED6BFABC3D", "versionEndExcluding": "1.4.17"}], "operator": "OR"}]}], "sourceIdentifier": "facts@wolfssl.com"}