Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mbed_tls
(Arm)| Repositories | https://github.com/ARMmbed/mbedtls |
| #Vulnerabilities | 43 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-07-19 | CVE-2020-36423 | An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. | Mbed_tls, Debian_linux | 7.5 | ||
| 2021-07-19 | CVE-2020-36424 | An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. | Mbed_tls, Debian_linux | 4.7 | ||
| 2021-07-19 | CVE-2020-36425 | An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock. | Mbed_tls, Debian_linux | 5.3 | ||
| 2021-07-19 | CVE-2020-36426 | An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte). | Mbed_tls, Debian_linux | 7.5 | ||
| 2021-08-23 | CVE-2020-36475 | An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs. | Mbed_tls, Debian_linux, Logo\!_cmr2020_firmware, Logo\!_cmr2040_firmware, Simatic_rtu3000c_firmware, Simatic_rtu3030c_firmware, Simatic_rtu3031c_firmware, Simatic_rtu3041c_firmware | 7.5 | ||
| 2021-08-23 | CVE-2020-36478 | An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid. | Mbed_tls, Debian_linux, Logo\!_cmr2020_firmware, Logo\!_cmr2040_firmware, Simatic_rtu3000c_firmware, Simatic_rtu3030c_firmware, Simatic_rtu3031c_firmware, Simatic_rtu3041c_firmware | 7.5 | ||
| 2021-08-23 | CVE-2020-36476 | An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory. | Mbed_tls, Debian_linux | 7.5 | ||
| 2017-04-20 | CVE-2017-2784 | An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. | Mbed_tls | 8.1 | ||
| 2018-04-10 | CVE-2018-9988 | ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_key_exchange() that could cause a crash on invalid input. | Mbed_tls, Debian_linux | 7.5 | ||
| 2018-04-10 | CVE-2018-9989 | ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer over-read in ssl_parse_server_psk_hint() that could cause a crash on invalid input. | Mbed_tls, Debian_linux | 7.5 |