CVE-2021-3618

ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim's traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.4 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
f5nginx
𝑥
< 1.21.0
sendmailsendmail
𝑥
< 8.17
vsftpd_projectvsftpd
𝑥
< 3.0.4
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nginx
bullseye (security)
1.18.0-6.1+deb11u3
fixed
bullseye
1.18.0-6.1+deb11u3
no-dsa
stretch
no-dsa
bookworm
1.22.1-9
no-dsa
buster
no-dsa
sid
1.26.0-3
fixed
trixie
1.26.0-3
fixed
sendmail
bullseye
no-dsa
stretch
no-dsa
bookworm
8.17.1.9-2+deb12u2
no-dsa
buster
no-dsa
sid
8.18.1-6
fixed
trixie
8.18.1-6
fixed
vsftpd
bullseye
no-dsa
stretch
no-dsa
bookworm
no-dsa
buster
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nginx
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
Fixed 1.18.0-6ubuntu14.1
released
impish
Fixed 1.18.0-6ubuntu11.1
released
hirsute
ignored
focal
Fixed 1.18.0-0ubuntu1.3
released
bionic
Fixed 1.14.0-0ubuntu1.10
released
xenial
Fixed 1.10.3-0ubuntu0.16.04.5+esm3
released
trusty
needed
sendmail
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
focal
needed
bionic
needed
xenial
needs-triage
trusty
needed
vsftpd
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
ignored
hirsute
ignored
focal
Fixed 3.0.5-0ubuntu0.20.04.1
released
bionic
needed
xenial
needed
trusty
needed
Common Weakness Enumeration
References
https://alpaca-attack.com/
https://bugzilla.redhat.com/show_bug.cgi?id=1975623
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html
https://alpaca-attack.com/
https://bugzilla.redhat.com/show_bug.cgi?id=1975623
https://lists.debian.org/debian-lts-announce/2022/11/msg00031.html