{"id":"CVE-2021-41990","details":"The gmp plugin in strongSwan before 5.9.4 has a remote integer overflow via a crafted certificate with an RSASSA-PSS signature. For example, this can be triggered by an unrelated self-signed CA certificate sent by an initiator. Remote code execution cannot occur.","modified":"2026-05-18T05:53:33.241006217Z","published":"2021-10-18T14:15:10.297Z","related":["SUSE-SU-2021:3467-1","SUSE-SU-2021:3469-1","openSUSE-SU-2021:1399-1","openSUSE-SU-2021:3467-1","openSUSE-SU-2024:11655-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"},{"last_affected":"11.0"}],"vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"]},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"33"},{"last_affected":"34"},{"last_affected":"35"}],"vendor_product":"fedoraproject:fedora","cpes":["cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5FJSATD2R2XHTG4P63GCMQ2N7EWKMME5/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQSQ3BEC22NF4NCDZVCT4P3Q2ZIAJXGJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3TQ32JLJOBJDB2EJKSX2PBPB5NFG2D4/"},{"type":"ADVISORY","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-539476.pdf"},{"type":"ADVISORY","url":"https://github.com/strongswan/strongswan/releases/tag/5.9.4"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4989"},{"type":"ARTICLE","url":"https://www.strongswan.org/blog/2021/10/18/strongswan-vulnerability-%28cve-2021-41990%29.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/strongswan/strongswan","events":[{"introduced":"203a86ecb88ecff2a338196401cbf55244ed6158"},{"fixed":"66fa7c959a53cff27c83e7f10331ad24cfdfb0a4"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"5.6.1"},{"fixed":"5.9.4"}],"cpe":"cpe:2.3:a:strongswan:strongswan:*:*:*:*:*:*:*:*"}}],"versions":["5.9.4rc1","5.9.4dr3","5.9.4dr2","5.9.4dr1","android-2.3.3-1","android-2.3.3","5.9.3","5.9.3rc1","5.9.3dr4","5.9.3dr3","5.9.3dr2","5.9.3dr1","5.9.2","5.9.2rc2","5.9.2rc1","5.9.2dr2","5.9.2dr1","5.9.1","5.9.1rc1","5.9.1dr1","5.9.0","5.9.0rc1","5.9.0dr2","5.9.0dr1","5.8.4","5.8.3","5.8.3rc1","5.8.2","5.8.2rc2","5.8.2rc1","5.8.2dr2","5.8.2dr1","5.8.1","5.8.1rc2","5.8.1dr1","5.8.0","5.8.0rc1","5.8.0dr2","5.7.2","5.7.2rc1","5.7.2dr4","5.7.2dr3","5.7.2dr2","5.7.2dr1","5.7.1","5.7.0","5.7.0rc2","5.7.0rc1","5.7.0dr8","5.7.0dr6","5.7.0dr5","5.7.0dr4","5.7.0dr3","5.7.0dr2","5.7.0dr1","5.6.3","5.6.3rc1","5.6.3dr2","5.6.3dr1","5.6.2","5.6.2rc1","5.6.2dr4","5.6.2dr3","5.6.2dr2","5.6.2dr1","5.6.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41990.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}