CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-36423
https://notcve.org/view.php?id=CVE-2020-36423
An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attacker can recover plaintext because a certain Lucky 13 countermeasure doesn't properly consider the case of a hardware accelerator. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Un atacante remoto puede recuperar el texto plano porque una determinada contramedida de Lucky 13 no considera apropiadamente el caso de un acelerador de hardware • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36424
https://notcve.org/view.php?id=CVE-2020-36424
An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can recover a private key (for RSA or static Diffie-Hellman) via a side-channel attack against generation of base blinding/unblinding values. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. Un atacante puede recuperar una clave privada (para RSA o Diffie-Hellman estático) por medio de un ataque de canal lateral contra la generación de valores blinding/unblinding de base • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-36425
https://notcve.org/view.php?id=CVE-2020-36425
An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. Usa incorrectamente una comprobación de revocationDate cuando decide si acepta la revocación de certificados por medio de una CRL. • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/issues/3340 https://github.com/ARMmbed/mbedtls/pull/3433 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-36426
https://notcve.org/view.php?id=CVE-2020-36426
An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte). Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. la función mbedtls_x509_crl_parse_der presenta lectura excesiva del búfer (de un byte) • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-125: Out-of-bounds Read •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0CVE-2021-24119
https://notcve.org/view.php?id=CVE-2021-24119
In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. En Trusted Firmware Mbed versión TLS versión 2.24.0, una vulnerabilidad de canal lateral en la decodificación de archivos PEM base64, permite a atacantes a nivel de sistema (administrador) obtener información sobre claves RSA secretas por medio de un ataque de canal controlado y de canal lateral en el software ejecutándose entornos aislados que pueden ser de un solo paso, especialmente Intel SGX • https://github.com/ARMmbed/mbedtls/releases https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW • CWE-203: Observable Discrepancy •