6.8
CVE-2015-8036
- EPSS 2.87%
- Veröffentlicht 02.11.2015 19:59:16
- Zuletzt bearbeitet 05.06.2026 19:38:32
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Trustedfirmware ≫ Mbed Tls Version >= 1.3.0 < 1.3.14
Trustedfirmware ≫ Mbed Tls Version >= 2.0.0 < 2.1.2
Debian ≫ Debian Linux Version7.0
Debian ≫ Debian Linux Version8.0
Fedoraproject ≫ Fedora Version21
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.87% | 0.85 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169625.html
http://www.debian.org/security/2016/dsa-3468
https://guidovranken.files.wordpress.com/2015/10/cve-2015-5291.pdf
https://guidovranken.wordpress.com/2015/10/07/cve-2015-5291/
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2015-01
http://lists.opensuse.org/opensuse-updates/2016-08/msg00009.html