{"id":"CVE-2019-11234","details":"FreeRADIUS before 3.0.19 does not prevent use of reflection for authentication spoofing, aka a \"Dragonblood\" issue, a similar issue to CVE-2019-9497.","modified":"2026-05-30T13:49:25.607935Z","published":"2019-04-22T11:29:03.330Z","related":["SUSE-SU-2019:1039-1","SUSE-SU-2019:1086-1","SUSE-SU-2019:1181-1","openSUSE-SU-2019:1346-1","openSUSE-SU-2020:0542-1","openSUSE-SU-2024:10767-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"18.04"},{"last_affected":"18.10"},{"last_affected":"19.04"}],"source":"CPE_STRING","cpes":["cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*"],"vendor_product":"canonical:ubuntu_linux"},{"extracted_events":[{"last_affected":"7.0"}],"source":"CPE_STRING","cpes":["cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*"],"vendor_product":"redhat:enterprise_linux"}]},"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00014.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00032.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00033.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1131"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1142"},{"type":"ADVISORY","url":"https://freeradius.org/release_notes/?br=3.0.x&re=3.0.19"},{"type":"ADVISORY","url":"https://freeradius.org/security/"},{"type":"ADVISORY","url":"https://papers.mathyvanhoef.com/dragonblood.pdf"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3954-1/"},{"type":"ADVISORY","url":"https://www.kb.cert.org/vuls/id/871675/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1695783"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freeradius/freeradius-server","events":[{"introduced":"0"},{"fixed":"ab4c767099f263a7cd4109bcdca80ee74210a769"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.0.19"}],"cpe":"cpe:2.3:a:freeradius:freeradius:*:*:*:*:*:*:*:*","source":"CPE_RANGE"}}],"versions":["release_3_0_18","release_3_0_17","release_3_0_16","release_3_0_15","release_3_0_14","release_3_0_13","release_3_0_12","release_3_0_11","release_3_0_10","release_3_0_9","release_3_0_8","release_3.0.8","release_3_0_7","release_3_0_6","release_3_0_5","release_3_0_4_rc2","release_3_0_4_rc1","release_3_0_4_rc0","release_3_0_3","release_3_0_2","release_3_0_1","release_3_0_0","release_3_0_0_rc1","branch_4_0_0","release_3_0_0_rc0","release_3_0_0_beta1","release_3_0_0_beta0","release_2_1_7","release_2_1_4","release_2_1_3","release_2_1_2","release_2_1_1","release_2_1_0","release_2_0_5","release_2_0_4","release_2_0_3","release_2_0_2","release_2_0_1","release_2_0_0","release_2_0_0_pre2","release_2_0_0_pre1","release_0_7_0","release_0_6_0","release_0_5_0","release_0_4_0","release_0_3_0","release_0_2_0","release_0_1_0","first-build"],"database_specific":{"vanir_signatures":[{"target":{"function":"process_peer_commit","file":"src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c"},"signature_type":"Function","deprecated":false,"id":"CVE-2019-11234-1fd28794","signature_version":"v1","source":"https://github.com/freeradius/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769","digest":{"function_hash":"129569143899151200956858467118537793085","length":3217}},{"target":{"file":"src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c"},"signature_type":"Line","deprecated":false,"id":"CVE-2019-11234-7d9d3913","signature_version":"v1","source":"https://github.com/freeradius/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769","digest":{"threshold":0.9,"line_hashes":["44628322362010892775297859780437640634","247023918149329515823030769271528430332","224033363932944218881098358854636411965","17630095911784018250606902112754836822","216632450278555283936186076618328015503","95929150371845356609814502021181772614","55929718924763167308877861755612329536","22676619042527158489947307178530195583"]}}],"vanir_signatures_modified":"2026-05-30T13:49:25Z","source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11234.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}