| tiêu đề | Cesanta Mongoose Embedded Web Server 7.20 Improper Verification of Cryptographic Signature |
|---|
| Mô tả | The mg_chacha20_poly1305_decrypt() function in /src/tls_chacha20.c never computes or verifies the Poly1305 authentication tag during decryption, completely bypassing the authentication guarantee of the AEAD cipher. Because ChaCha20 is a stream cipher, this allows a man-in-the-middle attacker to perform bit-flipping attacks on any TLS record, thus modifying encrypted data in transit with byte-level precision, and the Mongoose server will accept the tampered record as authentic. This renders TLS connections using the built-in TLS implementation completely unauthenticated.
Vendor recognizes that this is a serious vulnerability but is incapable or unwilling to fix it. |
|---|
| Nguồn | ⚠️ https://github.com/dwBruijn/CVEs/blob/main/Mongoose/ChaCha20Poly1305.md |
|---|
| Người dùng | dwbruijn (UID 93926) |
|---|
| Đệ trình | 12/02/2026 08:26 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 22/02/2026 08:57 (10 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 347335 [Cesanta Mongoose đến 7.20 Poly1305 Authentication Tag /src/tls_chacha20.c mg_chacha20_poly1305_decrypt xác thực yếu] |
|---|
| điểm | 20 |
|---|