5.9

CVE-2020-36477

EPSS 0.21%
Published 23.08.2021 02:15:07
Last modified 21.11.2024 05:29:38
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Arm ≫ Mbed Tls Version < 2.24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.43

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

Third Party Advisory

Release Notes

https://github.com/ARMmbed/mbedtls/issues/3498

Third Party Advisory

https://security.gentoo.org/glsa/202301-08

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-36477

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-36477

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-36477

EUVD