{"id":"CVE-2021-45079","details":"In strongSwan before 5.9.5, a malicious responder can send an EAP-Success message too early without actually authenticating the client and (in the case of EAP methods with mutual authentication and EAP-only authentication for IKEv2) even without server authentication.","modified":"2026-04-11T12:38:21.188077Z","published":"2022-01-31T08:15:07.307Z","related":["SUSE-SU-2022:0202-1","SUSE-SU-2022:0211-1","SUSE-SU-2022:0492-1","SUSE-SU-2022:14887-1","openSUSE-SU-2022:0492-1","openSUSE-SU-2024:11808-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:7.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.0"}],"cpe":"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:9.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"14.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"20.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"21.10"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:21.10:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"10.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"11.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"34"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"35"}],"cpe":"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*"}]},"references":[{"type":"ARTICLE","url":"https://www.strongswan.org/blog/2022/01/24/strongswan-vulnerability-%28cve-2021-45079%29.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/strongswan/strongswan","events":[{"introduced":"5fc278edf3795ce7eb2ff11195797f481ede0d77"},{"fixed":"57d6e96943ae583367ae47e08edf1c43013f1bdc"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"4.1.2"},{"fixed":"5.9.5"}],"cpe":"cpe:2.3:a:strongswan:strongswan:*:*:*:*:*:*:*:*"}}],"versions":["4.1.10","4.1.11","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.1.8","4.1.9","4.2.0","4.2.1","4.2.10","4.2.11","4.2.12","4.2.13","4.2.14","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.2.8","4.2.9","4.3.0","4.3.1","4.3.2","4.3.3","4.3.4","4.3.5","4.3.5rc1","4.3.6","4.4.0","4.4.1","4.5.0","4.5.1","4.5.2","4.5.3","4.6.0","4.6.1","4.6.2","4.6.3","5.0.0","5.0.1","5.0.2","5.0.2dr4","5.0.2rc1","5.0.3","5.0.3dr1","5.0.3dr2","5.0.3dr3","5.0.3rc1","5.0.4","5.1.0","5.1.0dr1","5.1.0dr2","5.1.0rc1","5.1.1","5.1.1dr1","5.1.1dr2","5.1.1dr3","5.1.1dr4","5.1.1rc1","5.1.2","5.1.2.dr2","5.1.2dr1","5.1.2dr3","5.1.2rc1","5.1.2rc2","5.1.3","5.1.3dr1","5.1.3rc1","5.2.0","5.2.0dr1","5.2.0dr2","5.2.0dr3","5.2.0dr4","5.2.0dr5","5.2.0dr6","5.2.0rc1","5.2.1","5.2.1dr1","5.2.1rc1","5.2.2","5.2.2dr1","5.2.2rc1","5.3.0","5.3.0dr1","5.3.0rc1","5.3.1","5.3.1dr1","5.3.1rc1","5.3.2","5.3.3","5.3.3dr1","5.3.3dr3","5.3.3dr4","5.3.3dr5","5.3.3dr6","5.3.3rc2","5.3.4","5.3.4dr1","5.3.4dr2","5.3.4dr3","5.3.4rc1","5.3.5","5.4.0","5.4.0dr1","5.4.0dr2","5.4.0dr3","5.4.0dr4","5.4.0dr5","5.4.0dr6","5.4.0dr7","5.4.0dr8","5.4.0rc1","5.4.1dr1","5.4.1dr2","5.4.1dr3","5.4.1dr4","5.5.0","5.5.0dr1","5.5.0rc1","5.5.1","5.5.1dr1","5.5.1dr2","5.5.1dr3","5.5.1dr4","5.5.1dr5","5.5.1rc1","5.5.1rc2","5.5.2","5.5.2dr1","5.5.2dr2","5.5.2dr3","5.5.2dr4","5.5.2dr5","5.5.2dr6","5.5.2dr7","5.5.2rc1","5.5.3","5.5.3dr1","5.5.3dr2","5.6.0","5.6.0dr1","5.6.0dr2","5.6.0dr3","5.6.0dr4","5.6.0rc1","5.6.0rc2","5.6.1","5.6.1dr1","5.6.1dr2","5.6.1dr3","5.6.1rc1","5.6.2","5.6.2dr1","5.6.2dr2","5.6.2dr3","5.6.2dr4","5.6.2rc1","5.6.3","5.6.3dr1","5.6.3dr2","5.6.3rc1","5.7.0","5.7.0dr1","5.7.0dr2","5.7.0dr3","5.7.0dr4","5.7.0dr5","5.7.0dr6","5.7.0dr8","5.7.0rc1","5.7.0rc2","5.7.1","5.7.2","5.7.2dr1","5.7.2dr2","5.7.2dr3","5.7.2dr4","5.7.2rc1","5.8.0","5.8.0dr2","5.8.0rc1","5.8.1","5.8.1dr1","5.8.1rc2","5.8.2","5.8.2dr1","5.8.2dr2","5.8.2rc1","5.8.2rc2","5.8.3","5.8.3rc1","5.8.4","5.9.0","5.9.0dr1","5.9.0dr2","5.9.0rc1","5.9.1","5.9.1dr1","5.9.1rc1","5.9.2","5.9.2dr1","5.9.2dr2","5.9.2rc1","5.9.2rc2","5.9.3","5.9.3dr1","5.9.3dr2","5.9.3dr3","5.9.3dr4","5.9.3rc1","5.9.4","5.9.4dr1","5.9.4dr2","5.9.4dr3","5.9.4rc1","5.9.5dr1","5.9.5dr2","5.9.5dr3","5.9.5dr4","5.9.5rc1","android-2.3.3","android-2.3.3-1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-45079.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}