Page 5 of 26 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_crl_parse_der has a buffer over-read (of one byte). Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.24.0. la función mbedtls_x509_crl_parse_der presenta lectura excesiva del búfer (de un byte) • https://bugs.gentoo.org/740108 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-125: Out-of-bounds Read •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1

An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a side channel in modular exponentiation, an RSA private key used in a secure enclave could be disclosed. Se ha detectado un problema en Arm Mbed TLS versiones anteriores a 2.23.0. Debido a un canal lateral en la exponenciación modular, una clave privada RSA usada en un enclave seguro podría ser divulgada • https://bugs.gentoo.org/730752 https://github.com/ARMmbed/mbedtls/issues/3394 https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.7 https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html • CWE-203: Observable Discrepancy •

CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 0

In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX. En Trusted Firmware Mbed versión TLS versión 2.24.0, una vulnerabilidad de canal lateral en la decodificación de archivos PEM base64, permite a atacantes a nivel de sistema (administrador) obtener información sobre claves RSA secretas por medio de un ataque de canal controlado y de canal lateral en el software ejecutándose entornos aislados que pueden ser de un solo paso, especialmente Intel SGX • https://github.com/ARMmbed/mbedtls/releases https://github.com/UzL-ITS/util-lookup/blob/main/cve-vulnerability-publication.md https://lists.debian.org/debian-lts-announce/2021/11/msg00021.html https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DRRVY7DMTX3ECFNZKDYTSFEG5AI2HBC6 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EYJW7HAW3TDV2YMDFYXP3HD6WRQRTLJW • CWE-203: Observable Discrepancy •

CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0

A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length. Un canal lateral de sincronización Lucky versión 13, en la función mbedtls_ssl_decrypt_buf en el archivo library/ssl_msg.c en Trusted Firmware Mbed TLS versiones hasta 2.23.0, permite a un atacante recuperar información de la clave secreta. Esto afecta al modo CBC debido a una diferencia de tiempo calculada basada en una longitud de relleno • https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5OSOFUD6UTGTDDSQRS62BPXDU52I6PUA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IRPBHCQKZXHVKOP5O5EWE7P76AWGUXQJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD3NM6GD73CTFFRBKG5G2ACXGG7QQHCC https://tls.mbed.org/tech-updates/security-advisories https://tls.mbed.org/tech-updates/security-adv • CWE-203: Observable Discrepancy •

CVSS: 4.7EPSS: 0%CPEs: 7EXPL: 0

The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 and Mbed TLS through 2.19.1 does not reduce the blinded scalar before computing the inverse, which allows a local attacker to recover the private key via side-channel attacks. La implementación de la firma ECDSA en el archivo ecdsa.c en Arm Mbed Crypto versión 2.1 y Mbed TLS versiones hasta 2.19.1, no reduce el escalar ciego antes de calcular el inverso, lo que permite a un atacante local recuperar la clave privada por medio de ataques de canal lateral. • https://lists.debian.org/debian-lts-announce/2022/12/msg00036.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A3GWQNONS7GRORXZJ7MOJFUEJ2ZJ4OUW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NGDACU65MYZXXVPQP2EBHUJGOR4RWLVY https://tls.mbed.org/tech-updates/security-advisories https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 • CWE-203: Observable Discrepancy •