{"id":"CVE-2019-11235","details":"FreeRADIUS before 3.0.19 mishandles the \"each participant verifies that the received scalar is within a range, and that the received group element is a valid point on the curve being used\" protection mechanism, aka a \"Dragonblood\" issue, a similar issue to CVE-2019-9498 and CVE-2019-9499.","modified":"2026-04-16T04:35:15.364086877Z","published":"2019-04-22T11:29:03.517Z","related":["SUSE-SU-2019:1039-1","SUSE-SU-2019:1086-1","SUSE-SU-2019:1181-1","openSUSE-SU-2019:1346-1","openSUSE-SU-2020:0542-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00033.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00032.html"},{"type":"ADVISORY","url":"https://freeradius.org/release_notes/?br=3.0.x&re=3.0.19"},{"type":"ADVISORY","url":"https://freeradius.org/security/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00014.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1131"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:1142"},{"type":"ADVISORY","url":"https://papers.mathyvanhoef.com/dragonblood.pdf"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3954-1/"},{"type":"ADVISORY","url":"https://www.kb.cert.org/vuls/id/871675/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1695748"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/freeradius/freeradius-server","events":[{"introduced":"0"},{"fixed":"ab4c767099f263a7cd4109bcdca80ee74210a769"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.19"}]}}],"versions":["branch_4_0_0","first-build","release_0_1_0","release_0_2_0","release_0_3_0","release_0_4_0","release_0_5_0","release_0_6_0","release_0_7_0","release_2_0_0","release_2_0_0_pre1","release_2_0_0_pre2","release_2_0_1","release_2_0_2","release_2_0_3","release_2_0_4","release_2_0_5","release_2_1_0","release_2_1_1","release_2_1_2","release_2_1_3","release_2_1_4","release_2_1_7","release_3.0.8","release_3_0_0","release_3_0_0_beta0","release_3_0_0_beta1","release_3_0_0_rc0","release_3_0_0_rc1","release_3_0_1","release_3_0_10","release_3_0_11","release_3_0_12","release_3_0_13","release_3_0_14","release_3_0_15","release_3_0_16","release_3_0_17","release_3_0_18","release_3_0_2","release_3_0_3","release_3_0_4_rc0","release_3_0_4_rc1","release_3_0_4_rc2","release_3_0_5","release_3_0_6","release_3_0_7","release_3_0_8","release_3_0_9"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/freeradius/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769","digest":{"length":3217,"function_hash":"129569143899151200956858467118537793085"},"deprecated":false,"target":{"file":"src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c","function":"process_peer_commit"},"id":"CVE-2019-11235-1fd28794","signature_type":"Function","signature_version":"v1"},{"source":"https://github.com/freeradius/freeradius-server/commit/ab4c767099f263a7cd4109bcdca80ee74210a769","digest":{"line_hashes":["44628322362010892775297859780437640634","247023918149329515823030769271528430332","224033363932944218881098358854636411965","17630095911784018250606902112754836822","216632450278555283936186076618328015503","95929150371845356609814502021181772614","55929718924763167308877861755612329536","22676619042527158489947307178530195583"],"threshold":0.9},"deprecated":false,"target":{"file":"src/modules/rlm_eap/types/rlm_eap_pwd/eap_pwd.c"},"id":"CVE-2019-11235-7d9d3913","signature_type":"Line","signature_version":"v1"}],"vanir_signatures_modified":"2026-04-11T08:55:44Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11235.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}