Lucene search

[email protected]CVE-2020-36476

HistoryAug 23, 2021 - 2:15 a.m.

CVE-2020-36476

2021-08-2302:15:00

CWE-212

[email protected]

web.nvd.nist.gov

cve-2020-36476

mbed tls

security issue

plaintext buffers

memory vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

53.6%

JSON

An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.

CPENameOperatorVersion
arm:mbed_tlsarm mbed tlslt2.7.17
arm:mbed_tlsarm mbed tlslt2.16.8
arm:mbed_tlsarm mbed tlslt2.24.0
debian:debian_linuxdebian debian linuxeq9.0
debian:debian_linuxdebian debian linuxeq10.0

CPE	Name	Operator	Version
arm:mbed_tls	arm mbed tls	lt	2.7.17
arm:mbed_tls	arm mbed tls	lt	2.16.8
arm:mbed_tls	arm mbed tls	lt	2.24.0
debian:debian_linux	debian debian linux	eq	9.0
debian:debian_linux	debian debian linux	eq	10.0