Vulnerabilities > W1 FI > Hostapd > High

DATE CVE VULNERABILITY TITLE RISK
2020-06-08 CVE-2020-12695 Incorrect Default Permissions vulnerability in multiple products
The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue.
7.5
2020-02-28 CVE-2019-10064 Insufficient Entropy vulnerability in multiple products
hostapd before 2.6, in EAP mode, makes calls to the rand() and random() standard library functions without any preceding srand() or srandom() call, which results in inappropriate use of deterministic values.
network
low complexity
w1-fi debian CWE-331
7.5
2019-04-17 CVE-2019-9499 Improper Authentication vulnerability in multiple products
The implementations of EAP-PWD in wpa_supplicant EAP Peer, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.
8.1
2019-04-17 CVE-2019-9498 Improper Authentication vulnerability in multiple products
The implementations of EAP-PWD in hostapd EAP Server, when built against a crypto library missing explicit validation on imported elements, do not validate the scalar and element values in EAP-pwd-Commit.
8.1
2019-04-17 CVE-2019-9497 Improper Authentication vulnerability in multiple products
The implementations of EAP-PWD in hostapd EAP Server and wpa_supplicant EAP Peer do not validate the scalar and element values in EAP-pwd-Commit.
network
high complexity
w1-fi fedoraproject CWE-287
8.1
2019-04-17 CVE-2019-9496 Improper Authentication vulnerability in multiple products
An invalid authentication sequence could result in the hostapd process terminating due to missing state validation steps when processing the SAE confirm message when in hostapd/AP mode.
network
low complexity
w1-fi fedoraproject CWE-287
7.5
2019-03-23 CVE-2016-10743 Insufficient Entropy in PRNG vulnerability in W1.Fi Hostapd
hostapd before 2.6 does not prevent use of the low-quality PRNG that is reached by an os_random() function call.
network
low complexity
w1-fi CWE-332
7.5
2017-10-17 CVE-2017-13082 Use of Insufficiently Random Values vulnerability in multiple products
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
8.1
2016-05-09 CVE-2016-4476 Improper Input Validation vulnerability in multiple products
hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.
network
low complexity
w1-fi canonical CWE-20
7.5