CVE-2019-11234: eap-pwd: fake authentication using reflection¶ A vulnerability was found in FreeRadius. An attacker can reflect the received scalar and element from the server in it"s own commit message, and subsequently reflect the confirm value as well. This causes the adversary to successfully authenticate as the victim. Fortunately, the adversary will not posses the negotiated session key, meaning the adversary cannot actually perform any actions as this user. Affected Versions:¶ freeradius 3.0.0 through 3.0.18 Fixed In Version:¶ freeradius 3.0.19