CVE-2021-42146

An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to obtain sensitive application (data of connected clients).

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://seclists.org/fulldisclosure/2024/Jan/19	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/19
https://seclists.org/fulldisclosure/2024/Jan/19	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:contiki-ng:tinydtls:2018-08-30:*:*:*:*:*:*:*

History

20 Jun 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-303

21 Nov 2024, 06:27

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Jan/19 -
References	~~() https://seclists.org/fulldisclosure/2024/Jan/19 - Mailing List, Third Party Advisory~~	() https://seclists.org/fulldisclosure/2024/Jan/19 - Mailing List, Third Party Advisory

01 Feb 2024, 20:16

Type	Values Removed	Values Added
References	~~() https://seclists.org/fulldisclosure/2024/Jan/19 -~~	() https://seclists.org/fulldisclosure/2024/Jan/19 - Mailing List, Third Party Advisory
CWE		CWE-755
First Time		Contiki-ng Contiki-ng tinydtls
CPE		cpe:2.3:a:contiki-ng:tinydtls:2018-08-30:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

24 Jan 2024, 19:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-24 19:15

Updated : 2025-06-20 20:15

NVD link : CVE-2021-42146

Mitre link : CVE-2021-42146

CVE.ORG link : CVE-2021-42146

JSON object : View

Products Affected

contiki-ng

tinydtls

CWE

CWE-755

Improper Handling of Exceptional Conditions

CWE-303

Incorrect Implementation of Authentication Algorithm

{"id": "CVE-2021-42146", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-01-24T19:15:08.483", "references": [{"url": "https://seclists.org/fulldisclosure/2024/Jan/19", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2024/Jan/19", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://seclists.org/fulldisclosure/2024/Jan/19", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-755"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-303"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. DTLS servers allow remote attackers to reuse the same epoch number within two times the TCP maximum segment lifetime, which is prohibited in RFC6347. This vulnerability allows remote attackers to obtain sensitive application (data of connected clients)."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Contiki-NG tinyDTLS a trav\u00e9s de la rama maestra 53a0d97. Los servidores DTLS permiten a atacantes remotos reutilizar el mismo n\u00famero de \u00e9poca dentro de dos veces la vida \u00fatil m\u00e1xima del segmento TCP, lo cual est\u00e1 prohibido en RFC6347. Esta vulnerabilidad permite a atacantes remotos obtener aplicaciones confidenciales (datos de clientes conectados)."}], "lastModified": "2025-06-20T20:15:23.110", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:contiki-ng:tinydtls:2018-08-30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "90402650-48E8-4C88-9306-B32811E56046"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}