{"id":"CVE-2017-9148","details":"The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.","modified":"2026-04-10T04:02:19.695484Z","published":"2017-05-29T17:29:00.200Z","related":["SUSE-SU-2017:1705-1","SUSE-SU-2017:1777-1","openSUSE-SU-2024:10767-1"],"references":[{"type":"WEB","url":"http://freeradius.org/security.html"},{"type":"WEB","url":"http://www.securitytracker.com/id/1038576"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:1581"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201706-27"},{"type":"ADVISORY","url":"http://seclists.org/oss-sec/2017/q2/422"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/98734"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freeradius/freeradius-server","events":[{"introduced":"0"},{"last_affected":"1c8d4d4cad8a07e96c0898fcf1cda8d2f3982495"},{"introduced":"0"},{"last_affected":"239ba3f92884be49adc90b1383aa8b54cb150fe9"},{"introduced":"0"},{"last_affected":"4c44a40e68c08b445123100b39855f36b65bf5f9"},{"introduced":"0"},{"last_affected":"a2c610854bef0f961573f15022d77b1088e8c819"},{"introduced":"0"},{"last_affected":"29ce823f72ffdfb2051765a6417126ee91e22552"},{"introduced":"0"},{"last_affected":"af07ace2815910610c0d39de90e4c0cf0735188d"},{"introduced":"0"},{"last_affected":"580424ea12feeb5933f1aaac33fd5f9e2fa2ee60"},{"introduced":"0"},{"last_affected":"9dbdad73ca823f5d2fbb0cbc5c34aec714a9e0d3"},{"introduced":"0"},{"last_affected":"808a9b3a8ff7ebac794519a1e842507c9a99107b"},{"introduced":"0"},{"last_affected":"3366cf0a98513ee15e1b96e3996f929ba5e611a4"},{"introduced":"0"},{"last_affected":"7c9d5fbe83a67934bff42c1093d50daacbf1c083"},{"introduced":"0"},{"last_affected":"8bc2d13ba84de80ef4873b0d0990a133332d24a1"},{"introduced":"0"},{"last_affected":"add9d9595bdbbae2c6b045cc3f8c1f31823748ec"},{"introduced":"0"},{"last_affected":"8282a158b0b30d7dc522162855a30c942ad57dfa"},{"introduced":"0"},{"last_affected":"3250f1d08a5ce770afb88760cdebdfeac5bf495c"},{"introduced":"0"},{"last_affected":"8a1cbd0d3a2fca26aefac2cfe7a50cd5d22fed42"},{"introduced":"0"},{"last_affected":"8b5bff2d8a2cd2be1da58a417787d907c7a5d8f1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"0"},{"last_affected":"2.1.3"},{"introduced":"0"},{"last_affected":"2.1.4"},{"introduced":"0"},{"last_affected":"2.1.6"},{"introduced":"0"},{"last_affected":"2.1.7"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.0.1"},{"introduced":"0"},{"last_affected":"3.0.2"},{"introduced":"0"},{"last_affected":"3.0.3"},{"introduced":"0"},{"last_affected":"3.0.4"},{"introduced":"0"},{"last_affected":"3.0.5"},{"introduced":"0"},{"last_affected":"3.0.6"},{"introduced":"0"},{"last_affected":"3.0.7"},{"introduced":"0"},{"last_affected":"3.0.8"},{"introduced":"0"},{"last_affected":"3.0.9"},{"introduced":"0"},{"last_affected":"4.0.0"}]}}],"versions":["branch_4_0_0","first-build","release_0_1_0","release_0_2_0","release_0_3_0","release_0_4_0","release_0_5_0","release_0_6_0","release_0_7_0","release_2_0_0","release_2_0_0_pre1","release_2_0_0_pre2","release_2_0_1","release_2_0_2","release_2_0_3","release_2_0_4","release_2_0_5","release_2_1_0","release_2_1_1","release_2_1_2","release_2_1_3","release_2_1_4","release_2_1_6","release_2_1_7","release_3.0.8","release_3_0_0","release_3_0_0_beta0","release_3_0_0_beta1","release_3_0_0_rc0","release_3_0_0_rc1","release_3_0_1","release_3_0_2","release_3_0_3","release_3_0_4","release_3_0_4_rc0","release_3_0_4_rc1","release_3_0_4_rc2","release_3_0_5","release_3_0_6","release_3_0_7","release_3_0_8","release_3_0_9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"3.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.1.3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9148.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}