CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36477
https://notcve.org/view.php?id=CVE-2020-36477
An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though). Se ha detectado un problema en Mbed TLS versiones anteriores a 2.24.0. La comprobación de los certificados X.509 cuando se compara el nombre común esperado (el argumento cn de la función mbedtls_x509_crt_verify) con el nombre real del certificado es manejado inapropiadamente: cuando la extensión subjecAltName está presente, el nombre esperado es comparado con cualquier nombre de esa extensión independientemente de su tipo. • https://github.com/ARMmbed/mbedtls/issues/3498 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://security.gentoo.org/glsa/202301-08 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36426
https://notcve.org/view.php?id=CVE-2020-36426
An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte). Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. la función mbedtls_x509_crl_parse_der presenta lectura excesiva del búfer (de un byte) • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-125: Out-of-bounds Read •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-36421
https://notcve.org/view.php?id=CVE-2020-36421
An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Debido a un canal lateral en la exponenciación modular, una clave privada RSA usada en un enclave seguro podría ser divulgada • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/issues/3394 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36422
https://notcve.org/view.php?id=CVE-2020-36422
An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel allows recovery of an ECC private key, related to mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Un canal lateral permite la recuperación de una clave privada ECC, en relación con las funciones mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul y mbedtls_ecp_mul_restartable • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-203: Observable Discrepancy •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36424
https://notcve.org/view.php?id=CVE-2020-36424
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. Un atacante puede recuperar una clave privada (para RSA o Diffie-Hellman estático) por medio de un ataque de canal lateral contra la generación de valores blinding/unblinding de base • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 • CWE-203: Observable Discrepancy •