VYPR

Vendor CVEs

FreeRADIUS

All CVEs

50 total · sorted by risk
  • CVE-2017-10984CriJul 17, 2017
    risk 0.65cvss 9.8epss 0.18

    An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overflow in data2vp_wimax()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.

  • CVE-2017-10979CriJul 17, 2017
    risk 0.65cvss 9.8epss 0.22

    An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows "Write overflow in rad_coalesce()" - this allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code.

  • CVE-2017-9148CriMay 29, 2017
    risk 0.64cvss 9.8epss 0.04

    The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass…

  • CVE-2024-3596CriJul 9, 2024
    risk 0.60cvss 9.0epss 0.15

    RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

  • CVE-2015-8764HigMar 27, 2017
    risk 0.53cvss 8.1epss 0.01

    Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a buffer overflow.

  • CVE-2015-8763HigMar 27, 2017
    risk 0.53cvss 8.1epss 0.01

    The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read.

  • CVE-2017-10987HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Buffer over-read in fr_dhcp_decode_suboptions()" and a denial of service.

  • CVE-2017-10986HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infinite read in dhcp_attr2vp()" and a denial of service.

  • CVE-2017-10985HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.02

    An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows "Infinite loop and memory exhaustion with 'concat' attributes" and a denial of service.

  • CVE-2017-10983HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.03

    An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "DHCP - Read overflow when decoding option 63" and a denial of service.

  • CVE-2017-10982HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.03

    An FR-GV-205 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Buffer over-read in fr_dhcp_decode_options()" and a denial of service.

  • CVE-2017-10981HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.03

    An FR-GV-204 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memory leak in fr_dhcp_decode()" and a denial of service.

  • CVE-2017-10980HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.03

    An FR-GV-203 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memory leak in decode_tlv()" and a denial of service.

  • CVE-2017-10978HigJul 17, 2017
    risk 0.49cvss 7.5epss 0.03

    An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0.15 allows "Read / write overflow in make_secret()" and a denial of service.

  • CVE-2015-4680HigApr 5, 2017
    risk 0.49cvss 7.5epss 0.02

    FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates.

  • CVE-2015-8762MedMar 27, 2017
    risk 0.38cvss 5.9epss 0.02

    The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a zero-length EAP-PWD packet.

  • CVE-2003-0967Dec 15, 2003
    risk 0.03cvss epss 0.05

    rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute.

  • CVE-2019-11234Apr 21, 2019
    risk 0.02cvss epss 0.08

    FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a "Dragonblood" issue, a similar issue to CVE-2019-9497.

  • CVE-2019-11235Apr 21, 2019
    risk 0.01cvss epss 0.04

    FreeRADIUS before 3.0.19 mishandles the "each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used" protection mechanism, aka a "Dragonblood" issue, a similar issue to CVE-2019-9498 and…

  • CVE-2001-1376Mar 4, 2002
    risk 0.01cvss epss 0.09

    Buffer overflow in digest calculation function of multiple RADIUS implementations allows remote attackers to cause a denial of service and possibly execute arbitrary code via shared secret data.

  • CVE-2022-41861Jan 17, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in freeradius. A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

  • CVE-2022-41859Jan 17, 2023
    risk 0.00cvss epss 0.01

    In freeradius, the EAP-PWD function compute_password_element() leaks information about the password which allows an attacker to substantially reduce the size of an offline dictionary attack.

  • CVE-2022-41860Jan 17, 2023
    risk 0.00cvss epss 0.01

    In freeradius, when an EAP-SIM supplicant sends an unknown SIM option, the server will try to look that option up in the internal dictionaries. This lookup will fail, but the SIM code will not check for that failure. Instead, it will dereference a NULL pointer, and cause the…

  • CVE-2019-17185Mar 21, 2020
    risk 0.00cvss epss 0.02

    In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global OpenSSL BN_CTX instance to handle all handshakes. This mean multiple threads use the same BN_CTX instance concurrently, resulting in crashes when concurrent EAP-pwd handshakes are initiated. This can be abused…

  • CVE-2015-9542Feb 24, 2020
    risk 0.00cvss epss 0.03

    add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correctly check the length of the input password, and is vulnerable to a stack-based buffer overflow during memcpy(). An attacker could send a crafted password to an application (loading the pam_radius library) and…

  • CVE-2019-13456Dec 3, 2019
    risk 0.00cvss epss 0.02

    In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks information that an attacker can use to recover the password of any user. This…

  • CVE-2019-18667Nov 2, 2019
    risk 0.00cvss epss 0.04

    /usr/local/www/freeradius_view_config.php in the freeradius3 package before 0.15.7_3 for pfSense on FreeBSD allows a user with an XSS payload as password or username to execute arbitrary javascript code on a victim browser.

  • CVE-2019-10143May 24, 2019
    risk 0.00cvss epss 0.00

    It was discovered freeradius up to and including version 3.0.19 does not correctly configure logrotate, allowing a local attacker who already has control of the radiusd user to escalate his privileges to root, by tricking logrotate into writing a radiusd-writable file to a…

  • CVE-2014-2015Nov 2, 2014
    risk 0.00cvss epss 0.04

    Stack-based buffer overflow in the normify function in the rlm_pap module (modules/rlm_pap/rlm_pap.c) in FreeRADIUS 2.x, possibly 2.2.3 and earlier, and 3.x, possibly 3.0.1 and earlier, might allow attackers to cause a denial of service (crash) and possibly execute arbitrary…

  • CVE-2011-4966Mar 12, 2013
    risk 0.00cvss epss 0.01

    modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode is enabled for user authentication, does not properly check the password expiration in /etc/shadow, which allows remote authenticated users to authenticate using an expired password.

  • CVE-2012-3547Sep 18, 2012
    risk 0.00cvss epss 0.06

    Stack-based buffer overflow in the cbtls_verify function in FreeRADIUS 2.1.10 through 2.1.12, when using TLS-based EAP methods, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via a long "not after" timestamp in a client…

  • CVE-2011-2701Aug 4, 2011
    risk 0.00cvss epss 0.02

    The ocsp_check function in rlm_eap_tls.c in FreeRADIUS 2.1.11, when OCSP is enabled, does not properly parse replies from OCSP responders, which allows remote attackers to bypass authentication by using the EAP-TLS protocol with a revoked X.509 client certificate.

  • CVE-2010-3697Oct 7, 2010
    risk 0.00cvss epss 0.02

    The wait_for_child_to_die function in main/event.c in FreeRADIUS 2.1.x before 2.1.10, in certain circumstances involving long-term database outages, does not properly handle long queue times for requests, which allows remote attackers to cause a denial of service (daemon crash)…

  • CVE-2010-3696Oct 7, 2010
    risk 0.00cvss epss 0.02

    The fr_dhcp_decode function in lib/dhcp.c in FreeRADIUS 2.1.9, in certain non-default builds, does not properly handle the DHCP Relay Agent Information option, which allows remote attackers to cause a denial of service (infinite loop and daemon outage) via a packet that has more…

  • CVE-2009-3111Sep 9, 2009
    risk 0.00cvss epss 0.11

    The rad_decode function in FreeRADIUS before 1.1.8 allows remote attackers to cause a denial of service (radiusd crash) via zero-length Tunnel-Password attributes, as demonstrated by a certain module in VulnDisco Pack Professional 7.6 through 8.11. NOTE: this is a regression…

  • CVE-2008-4474Oct 7, 2008
    risk 0.00cvss epss 0.00

    freeradius-dialupadmin in freeradius 2.0.4 allows local users to overwrite arbitrary files via a symlink attack on temporary files in (1) backup_radacct, (2) clean_radacct, (3) monthly_tot_stats, (4) tot_stats, and (5) truncate_radacct.

  • CVE-2007-2028Apr 13, 2007
    risk 0.00cvss epss 0.02

    Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not…

  • CVE-2007-0080Jan 5, 2007
    risk 0.00cvss epss 0.00

    Buffer overflow in the SMB_Connect_Server function in FreeRadius 1.1.3 and earlier allows attackers to execute arbitrary code related to the server desthost field of an SMB_Handle_Type instance. NOTE: the impact of this issue has been disputed by a reliable third party and the…

  • CVE-2006-1354Mar 22, 2006
    risk 0.00cvss epss 0.03

    Unspecified vulnerability in FreeRADIUS 1.0.0 up to 1.1.0 allows remote attackers to bypass authentication or cause a denial of service (server crash) via "Insufficient input validation" in the EAP-MSCHAPv2 state machine module.

  • CVE-2005-4744Dec 31, 2005
    risk 0.00cvss epss 0.04

    Off-by-one error in the sql_error function in sql_unixodbc.c in FreeRADIUS 1.0.2.5-5, and possibly other versions including 1.0.4, might allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the external database query to…

  • CVE-2005-4745Dec 31, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the rlm_sqlcounter module in FreeRADIUS 1.0.3 and 1.0.4 allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.

  • CVE-2005-4746Dec 31, 2005
    risk 0.00cvss epss 0.02

    Multiple buffer overflows in FreeRADIUS 1.0.3 and 1.0.4 allow remote attackers to cause denial of service (crash) via (1) the rlm_sqlcounter module or (2) unknown vectors "while expanding %t".

  • CVE-2005-1455May 19, 2005
    risk 0.00cvss epss 0.03

    Buffer overflow in the sql_escape_func function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote attackers to cause a denial of service (crash).

  • CVE-2005-1454May 19, 2005
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the radius_xlat function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via (1) group_membership_query, (2) simul_count_query, or (3) simul_verify_query configuration entries.

  • CVE-2004-0961Feb 9, 2005
    risk 0.00cvss epss 0.03

    Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.

  • CVE-2004-0960Feb 9, 2005
    risk 0.00cvss epss 0.03

    FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (core dump) via malformed USR vendor-specific attributes (VSA) that cause a memcpy operation with a -1 argument.

  • CVE-2004-0938Nov 3, 2004
    risk 0.00cvss epss 0.04

    FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.

  • CVE-2003-0968Dec 15, 2003
    risk 0.00cvss epss 0.04

    Stack-based buffer overflow in SMB_Logon_Server of the rlm_smb experimental module for FreeRADIUS 0.9.3 and earlier allows remote attackers to execute arbitrary code via a long User-Password attribute.

  • CVE-2002-0318Jun 25, 2002
    risk 0.00cvss epss 0.01

    FreeRADIUS RADIUS server allows remote attackers to cause a denial of service (CPU consumption) via a flood of Access-Request packets.

  • CVE-2001-1377Mar 4, 2002
    risk 0.00cvss epss 0.05

    Multiple RADIUS implementations do not properly validate the Vendor-Length of the Vendor-Specific attribute, which allows remote attackers to cause a denial of service (crash) via a Vendor-Length that is less than 2.