CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-17210
https://notcve.org/view.php?id=CVE-2019-17210
A denial-of-service issue was discovered in the MQTT library in Arm Mbed OS 2017-11-02. The function readMQTTLenString() is called by the function MQTTDeserialize_publish() to get the length and content of the MQTT topic name. In the function readMQTTLenString(), mqttstring->lenstring.len is a part of user input, which can be manipulated. An attacker can simply change it to a larger value to invalidate the if statement so that the statements inside the if statement are skipped, letting the value of mqttstring->lenstring.data default to zero. Later, curn is accessed, which points to mqttstring->lenstring.data. • https://github.com/ARMmbed/mbed-os/issues/11802 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 8EXPL: 0CVE-2019-16910
https://notcve.org/view.php?id=CVE-2019-16910
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.) Arm Mbed TLS versiones anteriores a 2.19.0 y Arm Mbed Crypto versiones anteriores a 2.0.0, cuando el ECDSA determinista está habilitado, usa un RNG con entropía insuficiente para el cegamiento, lo que podría permitir a un atacante recuperar una clave privada por medio de ataques de canal lateral si una víctima firma el mismo mensaje muchas veces. (Para Mbed TLS, la corrección también está disponible en las versiones 2.7.12 y 2.16.3.) • https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CGSKQSGR5SOBRBXDSSPTCDSBB5K3GMPF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CSFFOROD6IVLADZHNJC2LPDV7FQRP7XB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-19440
https://notcve.org/view.php?id=CVE-2018-19440
ARM Trusted Firmware-A allows information disclosure. ARM Trusted Firmware-A permite la divulgación de información. • https://github.com/ARM-software/arm-trusted-firmware/pull/1710 https://github.com/ARM-software/arm-trusted-firmware/wiki/Trusted-Firmware-A-Security-Advisory-TFV-8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15031
https://notcve.org/view.php?id=CVE-2017-15031
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information. En todas las versiones de ARM Trusted Firmware hasta e incluyendo la v1.4, la no inicialización del guardado/restauración del registro PMCR_EL0 puede filtrar información segura de tiempo global. • http://www.securityfocus.com/bid/106271 https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2018-19608
https://notcve.org/view.php?id=CVE-2018-19608
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites. Arm Mbed TLS en versiones anteriores a la 2.14.1, 2.7.8 y a la 2.1.17 permite que un atacante local sin privilegios recupere el texto plano del descifrado RSA, que se emplea en suites de cifrado RSA-without-(EC)DH(E). • http://cat.eyalro.net https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03 • CWE-269: Improper Privilege Management •