CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 1CVE-2020-36478
https://notcve.org/view.php?id=CVE-2020-36478
An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid. Se ha detectado un problema en Mbed TLS versiones anteriores a 2.25.0 (y versiones anteriores a 2.16.9 LTS y versiones anteriores a 2.7.18 LTS). Una entrada de parámetros de algoritmo NULL parece idéntica a una matriz de REAL (tamaño cero) y, por tanto, el certificado es considerado válido. • https://cert-portal.siemens.com/productcert/pdf/ssa-756638.pdf https://github.com/ARMmbed/mbedtls/issues/3629 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.9 https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.18 https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-295: Improper Certificate Validation •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-36425
https://notcve.org/view.php?id=CVE-2020-36425
An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. Usa incorrectamente una comprobación de revocationDate cuando decide si acepta la revocación de certificados por medio de una CRL. • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/issues/3340 https://github.com/ARMmbed/mbedtls/pull/3433 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36423
https://notcve.org/view.php?id=CVE-2020-36423
An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Un atacante remoto puede recuperar el texto plano porque una determinada contramedida de Lucky 13 no considera apropiadamente el caso de un acelerador de hardware • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36422
https://notcve.org/view.php?id=CVE-2020-36422
An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Un canal lateral permite la recuperación de una clave privada ECC, en relación con las funciones mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul y mbedtls_ecp_mul_restartable • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-203: Observable Discrepancy •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36424
https://notcve.org/view.php?id=CVE-2020-36424
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. Un atacante puede recuperar una clave privada (para RSA o Diffie-Hellman estático) por medio de un ataque de canal lateral contra la generación de valores blinding/unblinding de base • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 • CWE-203: Observable Discrepancy •