Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Missing input validation in dynamic discovery example scripts.
Vulnerability Description
radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. Missing input validation in radsecproxy's `naptr-eduroam.sh` and `radsec-dynsrv.sh` scripts can lead to configuration injection via crafted radsec peer discovery DNS records. Users are subject to Information disclosure, Denial of Service, Redirection of Radius connection to a non-authenticated server leading to non-authenticated network access. Updated example scripts are available in the master branch and 1.9 release. Note that the scripts are not part of the installation package and are not updated automatically. If you are using the examples, you have to update them manually. The dyndisc scripts work independently of the radsecproxy code. The updated scripts can be used with any version of radsecproxy.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
Radsecproxy 注入漏洞
Vulnerability Description
Radsecproxy是一个通用的 RADIUS 代理,支持 UDP 和 TLS (RadSec) RADIUS 传输。 Radsecproxy 1.9之前版本中存在注入漏洞,该漏洞源于在 naptr-eduroam.sh 和 radsec-dynsrv.sh 脚本中缺少输入验证,可能导致通过手工的radsec对等发现DNS记录进行配置注入,攻击者可通过该漏洞引发信息泄露、拒绝服务、Radius连接重定向到未经认证的服务器导致未经认证的网络访问。
CVSS Information
N/A
Vulnerability Type
N/A