5.9

CVE-2020-36477

EPSS 0.21%
Veröffentlicht 23.08.2021 02:15:07
Zuletzt bearbeitet 21.11.2024 05:29:38
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Arm ≫ Mbed Tls Version < 2.24.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.43

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

Third Party Advisory

Release Notes

https://github.com/ARMmbed/mbedtls/issues/3498

Third Party Advisory

https://security.gentoo.org/glsa/202301-08

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-36477

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-36477

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-36477

EUVD