cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-23775,https://securityvulnerability.io/vulnerability/CVE-2024-23775,Integer Overflow Vulnerability in Mbed TLS 2.x and 3.x by Arm,"An Integer Overflow vulnerability in Mbed TLS versions 2.x prior to 2.28.7 and 3.x prior to 3.5.2 exists, which may allow an attacker to exploit the mbedtls_x509_set_extension() function to cause a Denial of Service (DoS). This flaw can be particularly damaging as it can disrupt the normal operation of applications relying on Mbed TLS for secure communications.",Arm,Mbed Tls,7.5,HIGH,0.0009200000204145908,false,,false,false,false,,,false,false,,2024-01-31T00:00:00.000Z,0
CVE-2024-23170,https://securityvulnerability.io/vulnerability/CVE-2024-23170,Timing Side Channel Vulnerability in Mbed TLS by Arm,"A timing side channel vulnerability in Mbed TLS versions 2.x prior to 2.28.7 and 3.x prior to 3.5.2 can potentially allow local attackers to recover plaintext from RSA private operations. This vulnerability arises when an attacker is able to send a significant number of decryption messages, utilizing the weaknesses described in 'Everlasting ROBOT: the Marvin Attack.' It highlights the importance of robust security practices to mitigate such risks.",Arm,Mbed Tls,5.5,MEDIUM,0.0005099999834783375,false,,false,false,false,,,false,false,,2024-01-31T00:00:00.000Z,0
CVE-2023-52353,https://securityvulnerability.io/vulnerability/CVE-2023-52353,Vulnerability in Mbed TLS Affects TLS Version Negotiation,"An identified issue in Mbed TLS, particularly affecting version 3.5.1, revolves around the mishandling of the maximum negotiable TLS version during SSL session resets. When a connection negotiated TLS 1.2, this version inadvertently becomes the new maximum, potentially undermining expected security configurations. This vulnerability impacts secure communication protocols, highlighting the need for careful version management and vigilance in cryptographic implementations.",Arm,Mbed Tls,7.5,HIGH,0.0006799999973736703,false,,false,false,false,,,false,false,,2024-01-21T00:00:00.000Z,0
CVE-2024-23744,https://securityvulnerability.io/vulnerability/CVE-2024-23744,Denial of Service Vulnerability in Mbed TLS 3.5.1,"A vulnerability has been identified in Mbed TLS 3.5.1, where a persistent handshake denial occurs if a client sends a TLS 1.3 ClientHello message without including any extensions. This flaw can disrupt secure communication, resulting in service interruptions for affected applications. It is crucial for users of Mbed TLS to ensure they are implementing the latest version and configurations to mitigate potential exploitation risks.",Arm,Mbed Tls,7.5,HIGH,0.0006300000241026282,false,,false,false,false,,,false,false,,2024-01-21T00:00:00.000Z,0
CVE-2023-43615,https://securityvulnerability.io/vulnerability/CVE-2023-43615,Buffer Overflow Vulnerability in Mbed TLS by ARM,"The Mbed TLS library in its versions 2.x prior to 2.28.5 and 3.x prior to 3.5.0 is susceptible to a buffer overflow vulnerability. This flaw could lead to unauthorized access or manipulation of memory, potentially allowing an attacker to execute arbitrary code or disrupt service. It is critical for users and organizations relying on these versions to update promptly and mitigate any associated risks.",Arm,Mbed Tls,7.5,HIGH,0.001230000052601099,false,,false,false,false,,,false,false,,2023-10-07T01:15:00.000Z,0
CVE-2023-45199,https://securityvulnerability.io/vulnerability/CVE-2023-45199,Buffer Overflow Vulnerability in Mbed TLS Affects Multiple Versions,"The Mbed TLS library versions 3.2.x to 3.4.x prior to 3.5 are susceptible to a buffer overflow vulnerability, which could enable attackers to execute arbitrary code remotely. This flaw arises from improper handling of user-supplied input, leading to potential exploitation. Users of Mbed TLS are urged to upgrade to the latest version to mitigate this risk.",Arm,Mbed Tls,9.8,CRITICAL,0.005270000081509352,false,,false,false,false,,,false,false,,2023-10-07T01:15:00.000Z,0
CVE-2021-36647,https://securityvulnerability.io/vulnerability/CVE-2021-36647,Broken Cryptographic Algorithm in Mbed TLS by ARM,"The Mbed TLS library, specifically in the function mbedtls_mpi_exp_mod() within lignum.c, is affected by the use of a weak or broken cryptographic algorithm. This flaw enables malicious actors who possess sufficient timing and memory access insights to exploit untrusted systems targeting secure environments, such as SGX or TrustZone secure worlds, to recover sensitive RSA private keys. This vulnerability poses significant risks for systems relying on Mbed TLS for cryptographic operations and highlights the need for updates to mitigate potential exploitation.",Arm,Mbed Tls,4.7,MEDIUM,0.0005600000149570405,false,,false,false,false,,,false,false,,2023-01-17T00:00:00.000Z,0
CVE-2022-46393,https://securityvulnerability.io/vulnerability/CVE-2022-46393,Heap-Based Buffer Issues in Mbed TLS by Arm,"A vulnerability in Mbed TLS prior to version 2.28.2 and 3.x prior to 3.3.0 allows for a potential heap-based buffer overflow and buffer over-read in DTLS. This occurs when the configuration option MBEDTLS_SSL_DTLS_CONNECTION_ID is active, and the parameters for connection ID length are improperly set, leading to potential exploitation in the application layer.",Arm,Mbed Tls,9.8,CRITICAL,0.003220000071451068,false,,false,false,false,,,false,false,,2022-12-15T00:00:00.000Z,0
CVE-2022-46392,https://securityvulnerability.io/vulnerability/CVE-2022-46392,Information Disclosure Vulnerability in Mbed TLS by ARM,"A vulnerability has been discovered in Mbed TLS versions prior to 2.28.2 and 3.x prior to 3.3.0. This issue allows an attacker who has precise knowledge of memory accesses, such as an untrusted operating system targeting a secure enclave, to potentially recover an RSA private key after monitoring a single private-key operation. This risk arises when the window size configuration (MBEDTLS_MPI_WINDOW_SIZE) used during exponentiation is set to 3 or smaller.",Arm,Mbed Tls,5.3,MEDIUM,0.0010900000343099236,false,,false,false,false,,,false,false,,2022-12-15T00:00:00.000Z,0
CVE-2022-35409,https://securityvulnerability.io/vulnerability/CVE-2022-35409,Heap-based Buffer Over-read in Mbed TLS Affects Multiple Versions,"An issue exists in Mbed TLS versions prior to 2.28.1 and 3.x before 3.2.0, where certain configurations leave DTLS servers vulnerable to an unauthenticated attack. An attacker can send an invalid ClientHello message that may cause a heap-based buffer over-read of up to 255 bytes. This vulnerability potentially leads to server crashes or information leaks based on the nature of the error responses. The specific configurations that are at risk include those with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled and MBEDTLS_SSL_IN_CONTENT_LEN set below a threshold, which may vary from 258 bytes (with mbedtls_ssl_cookie_check) to as high as 571 bytes (with custom cookie check functions).",Arm,Mbed Tls,9.1,CRITICAL,0.002520000096410513,false,,false,false,false,,,false,false,,2022-07-15T00:00:00.000Z,0
CVE-2021-43666,https://securityvulnerability.io/vulnerability/CVE-2021-43666,Denial of Service Vulnerability in mbed TLS by ARM,"A Denial of Service vulnerability in mbed TLS arises from the mbedtls_pkcs12_derivation function when inputs with a password length of zero are processed. This flaw can potentially make the system unresponsive, highlighting the need for robust input validation to prevent exploitation. The issue particularly affects mbed TLS versions up to 3.0.0, posing a risk to applications relying on this library for secure communications.",Arm,Mbed Tls,7.5,HIGH,0.0010600000387057662,false,,false,false,false,,,false,false,,2022-03-24T00:00:00.000Z,0
CVE-2021-45451,https://securityvulnerability.io/vulnerability/CVE-2021-45451,Policy Bypass and Oracle-Based Decryption in Mbed TLS by ARM,"In Mbed TLS versions prior to 3.1.0, a flaw exists in the psa_aead_generate_nonce function that allows an untrusted application to bypass security policies or exploit oracle-based decryption opportunities when the output buffer is located in memory regions accessible to the application. This weakness can potentially lead to unauthorized access to sensitive data, emphasizing the importance of upgrading to the latest version to mitigate risks.",Arm,Mbed Tls,7.5,HIGH,0.001550000044517219,false,,false,false,false,,,false,false,,2021-12-21T00:00:00.000Z,0
CVE-2021-45450,https://securityvulnerability.io/vulnerability/CVE-2021-45450,Policy Bypass and Oracle-based Decryption in Mbed TLS,"Mbed TLS versions prior to 2.28.0 and 3.x before 3.1.0 have a vulnerability where the functions psa_cipher_generate_iv and psa_cipher_encrypt can be exploited to bypass security policies. This flaw may allow an untrusted application to access sensitive memory locations, leading to potential oracle-based decryption of encrypted data. It exposes the risk of unauthorized access to protected information, highlighting the importance of upgrading to the latest stable version to mitigate these security threats.",Arm,Mbed Tls,7.5,HIGH,0.0021699999924749136,false,,false,false,false,,,false,false,,2021-12-21T00:00:00.000Z,0
CVE-2021-44732,https://securityvulnerability.io/vulnerability/CVE-2021-44732,Double Free Vulnerability in Mbed TLS Affects Multiple Versions,"A double free vulnerability exists in Mbed TLS versions before 3.0.1. This issue may be triggered under certain out-of-memory conditions, particularly exemplified by failures during SSL session management. If exploited, this vulnerability can lead to unexpected behavior or application crashes, thus potentially allowing unauthorized access or denial of service in applications relying on Mbed TLS. Users are advised to update to the latest versions to mitigate this risk.",Arm,Mbed Tls,9.8,CRITICAL,0.005090000107884407,false,,false,false,false,,,false,false,,2021-12-20T00:00:00.000Z,0
CVE-2020-36475,https://securityvulnerability.io/vulnerability/CVE-2020-36475,Denial of Service Vulnerability in Mbed TLS by ARM,"An issue in Mbed TLS prior to version 2.25.0 can lead to Denial of Service due to unrestricted calculations performed by mbedtls_mpi_exp_mod. This could allow an attacker to supply excessively large parameters, potentially disrupting the generation of Diffie-Hellman key pairs.",Arm,Mbed Tls,7.5,HIGH,0.006639999803155661,false,,false,false,false,,,false,false,,2021-08-23T00:00:00.000Z,0
CVE-2020-36477,https://securityvulnerability.io/vulnerability/CVE-2020-36477,Certificate Verification Issue in Mbed TLS by ARM,"A security issue in Mbed TLS prior to version 2.24.0 compromises the verification of X.509 certificates. The vulnerability occurs when comparing expected names to actual certificate names while handling the subjectAltName extension. If the subjecAltName extension is utilized, the verification process incorrectly allows an attacker to impersonate a domain by manipulating the 4-byte or 16-byte representation tied to an IPv4 or IPv6 address. The attacker must control the relevant IP address to exploit this flaw.",Arm,Mbed Tls,5.9,MEDIUM,0.001180000021122396,false,,false,false,false,,,false,false,,2021-08-23T00:00:00.000Z,0
CVE-2020-36476,https://securityvulnerability.io/vulnerability/CVE-2020-36476,Mbed TLS Vulnerability in SSL Read Function by ARM,"An issue in Mbed TLS prior to version 2.24.0, as well as pre-release 2.16.8 LTS and 2.7.17 LTS, exposes an application data security risk. The vulnerability arises from insufficient zeroization of plaintext buffers in the mbedtls_ssl_read function, leading to potential information leakage of sensitive data remnants from memory. This flaw emphasizes the importance of proper memory management to ensure data confidentiality.",Arm,Mbed Tls,7.5,HIGH,0.003800000064074993,false,,false,false,false,,,false,false,,2021-08-23T00:00:00.000Z,0
CVE-2020-36478,https://securityvulnerability.io/vulnerability/CVE-2020-36478,Certificate Validation Flaw in Mbed TLS by ARM,"A flaw in Mbed TLS versions prior to 2.25.0 allows for erroneous validation of certificates due to the misleading interpretation of NULL algorithm parameters. When these parameters are misrepresented as an empty array of REAL, the system mistakenly considers the certificate valid, even if the actual parameters do not align. This could lead to the acceptance of fraudulent certificates, posing significant security risks to applications relying on proper certificate validation.",Arm,Mbed Tls,7.5,HIGH,0.0023300000466406345,false,,false,false,false,,,false,false,,2021-08-23T00:00:00.000Z,0
CVE-2020-36426,https://securityvulnerability.io/vulnerability/CVE-2020-36426,Buffer Over-read Vulnerability in Arm Mbed TLS,"A buffer over-read vulnerability was identified in Arm Mbed TLS versions prior to 2.24.0, specifically affecting the mbedtls_x509_crl_parse_der function. This flaw could potentially lead to unauthorized access or exposure of sensitive data. It is crucial for users and developers relying on this cryptographic library to apply the latest updates and mitigate associated risks.",Arm,Mbed Tls,7.5,HIGH,0.002739999908953905,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2020-36421,https://securityvulnerability.io/vulnerability/CVE-2020-36421,Weakness in Modular Exponentiation Affects Arm Mbed TLS,"A side channel vulnerability was identified in Arm Mbed TLS prior to version 2.23.0, which can lead to the exposure of an RSA private key utilized within a secure enclave. The issue stems from how modular exponentiation is handled during cryptographic operations. If exploited, this vulnerability could allow an attacker to obtain sensitive cryptographic material, thereby compromising the security of applications relying on Mbed TLS for secure communications.",Arm,Mbed Tls,5.3,MEDIUM,0.002219999907538295,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2020-36422,https://securityvulnerability.io/vulnerability/CVE-2020-36422,Side Channel Vulnerability in Arm Mbed TLS Software,"A vulnerability in Arm Mbed TLS prior to version 2.23.0 exposes a side channel that can be exploited to recover an ECC private key. The issue involves functions such as mbedtls_ecp_check_pub_priv, mbedtls_pk_parse_key, mbedtls_pk_parse_keyfile, mbedtls_ecp_mul, and mbedtls_ecp_mul_restartable. This could pose significant risks to applications relying on the security of ECC keys, allowing unauthorized access to sensitive data.",Arm,Mbed Tls,5.3,MEDIUM,0.0022100000642240047,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2020-36423,https://securityvulnerability.io/vulnerability/CVE-2020-36423,Information Disclosure Vulnerability in Arm Mbed TLS Software,"A vulnerability in Arm Mbed TLS prior to version 2.23.0 allows remote attackers to recover plaintext data. This issue arises from improper handling of a specific scenario in the Lucky 13 countermeasure within the context of a hardware accelerator, potentially exposing sensitive information.",Arm,Mbed Tls,7.5,HIGH,0.00343000004068017,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2020-36424,https://securityvulnerability.io/vulnerability/CVE-2020-36424,Vulnerability in Arm Mbed TLS Affects RSA and Diffie-Hellman Key Generation,"An issue has been identified in Arm Mbed TLS, which includes a vulnerability that can be exploited through side-channel attacks during the generation of base blinding/unblinding values. This allows an attacker to recover private keys associated with RSA or static Diffie-Hellman protocols. It is important for users of Mbed TLS versions prior to 2.24.0 to implement necessary updates to mitigate this security risk. The vulnerability highlights the importance of robust cryptographic implementations to prevent potential exploitation.",Arm,Mbed Tls,4.7,MEDIUM,0.0005699999746866524,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2020-36425,https://securityvulnerability.io/vulnerability/CVE-2020-36425,Certificate Revocation Flaw in Arm Mbed TLS,"A flaw in Arm Mbed TLS, prior to version 2.24.0, involves improper handling of certificate revocation checks, specifically with the revocationDate attribute. This vulnerability allows an attacker to exploit the system by altering the local clock, potentially undermining the trust established by certificate revocation lists (CRLs). As a consequence, the software may inadvertently accept expired or untrusted certificates, exposing applications to various security risks. Users are encouraged to upgrade to the latest versions to mitigate this issue.",Arm,Mbed Tls,5.3,MEDIUM,0.0023300000466406345,false,,false,false,false,,,false,false,,2021-07-19T00:00:00.000Z,0
CVE-2021-24119,https://securityvulnerability.io/vulnerability/CVE-2021-24119,Side-channel Vulnerability in Trusted Firmware Mbed TLS Affecting RSA Key Security,"A side-channel vulnerability in Trusted Firmware Mbed TLS version 2.24.0 allows system-level attackers to extract sensitive information from isolated environments. By leveraging controlled and side-channel attacks, attackers can potentially obtain secret RSA key data, especially when software runs in environments using Intel SGX. This poses a risk to the integrity and confidentiality of cryptographic operations, making it essential for system administrators to address and mitigate this vulnerability promptly.",Arm,Mbed Tls,4.9,MEDIUM,0.0024800000246614218,false,,false,false,false,,,false,false,,2021-07-14T00:00:00.000Z,0