CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-43666 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2021-43666
24 Mar 2022 — A Denial of Service vulnerability exists in mbed TLS 3.0.0 and earlier in the mbedtls_pkcs12_derivation function when an input password's length is 0. Se presenta una vulnerabilidad de denegación de servicio en mbed TLS 3.0.0 y anteriores, en la función mbedtls_pkcs12_derivation cuando la longitud de una contraseña de entrada es 0 Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected. • https://github.com/ARMmbed/mbedtls/issues/5136 •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45450 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2021-45450
21 Dec 2021 — In Mbed TLS before 2.28.0 and 3.x before 3.1.0, psa_cipher_generate_iv and psa_cipher_encrypt allow policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application. En Mbed TLS versiones anteriores a 2.28.0 y 3.x versiones anteriores a 3.1.0, las funciones psa_cipher_generate_iv y psa_cipher_encrypt permiten omitir la política o el descifrado basado en oráculos cuando el búfer de salida es encontrado en ubicaciones de memoria accesibles para una ... • https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-45451
https://notcve.org/view.php?id=CVE-2021-45451
21 Dec 2021 — In Mbed TLS before 3.1.0, psa_aead_generate_nonce allows policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application. En Mbed TLS versiones anteriores a 3.1.0, la función psa_aead_generate_nonce permite omitir la política o el descifrado basado en oráculos cuando el búfer de salida es encontrada en ubicaciones de memoria accesibles para una aplicación no confiable • https://github.com/ARMmbed/mbedtls/releases/tag/v3.1.0 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 1CVE-2021-44732 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2021-44732
20 Dec 2021 — Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failure. Mbed TLS versiones anteriores a 3.0.1,presenta una doble liberación en determinadas condiciones de salida de memoria, como es demostrado por un fallo de la función mbedtls_ssl_set_session() Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than 2.28.1 are affected. • https://bugs.gentoo.org/829660 • CWE-415: Double Free •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0CVE-2020-36475 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36475
23 Aug 2021 — An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). The calculations performed by mbedtls_mpi_exp_mod are not limited; thus, supplying overly large parameters could lead to denial of service when generating Diffie-Hellman key pairs. Se ha detectado un problema en Mbed TLS versiones anteriores a 2.25.0 (y versiones anteriores a 2.16.9 LTS y versiones anteriores a 2.7.18 LTS). Los cálculos llevado a cabo por la función mbedtls_mpi_exp_mod no están limitados; por lo... • https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf • CWE-131: Incorrect Calculation of Buffer Size •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2020-36476 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36476
23 Aug 2021 — An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory. Se ha detectado un problema en Mbed TLS versiones anteriores a 2.24.0 (y versiones anteriores a 2.16.8 LTS y versiones anteriores a 2.7.17 LTS). Falta la puesta a cero de los búferes de texto plano en la función mbedtls_ssl_read para borrar de la memoria los datos no usados de la aplicación. Multip... • https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36477 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36477
23 Aug 2021 — An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require ... • https://github.com/ARMmbed/mbedtls/issues/3498 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 1CVE-2020-36478 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36478
23 Aug 2021 — An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid. Se ha detectado un problema en Mbed TLS versiones anteriores a 2.25.0 (y versiones anteriores a 2.16.9 LTS y versiones anteriores a 2.7.18 LTS). Una entrada de parámetros de algoritmo ... • https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-36421 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36421
19 Jul 2021 — An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Debido a un canal lateral en la exponenciación modular, una clave privada RSA usada en un enclave seguro podría ser divulgada Multiple vulnerabilities have been discovered in Mbed TLS, the worst of which could result in arbitrary code execution. Versions less than ... • https://bugs.gentoo.org/730752 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36422 – Gentoo Linux Security Advisory 202301-08
https://notcve.org/view.php?id=CVE-2020-36422
19 Jul 2021 — An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Un canal lateral permite la recuperación de una clave privada ECC, en relación con las funciones mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul y ... • https://bugs.gentoo.org/730752 • CWE-203: Observable Discrepancy •