8.1

CVE-2017-2784

Exploit

An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ArmMbed Tls Version <= 1.3.18
ArmMbed Tls Version2.0.0
ArmMbed Tls Version2.1.0
ArmMbed Tls Version2.1.1
ArmMbed Tls Version2.1.2
ArmMbed Tls Version2.1.3
ArmMbed Tls Version2.1.4
ArmMbed Tls Version2.1.5
ArmMbed Tls Version2.1.6
ArmMbed Tls Version2.4.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.18% 0.881
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
talos-cna@cisco.com 8.1 2.2 5.9
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.talosintelligence.com/reports/TALOS-2017-0274/
Third Party Advisory
Exploit
VDB Entry
Technical Description