CVE-2024-28755

EPSS 0.13%
Published 03.04.2024 03:15:10
Last modified 10.06.2025 00:41:15
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtls_ssl_session_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

Affected products Warnungen 0 Metrics 2 CWE 1 References 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Arm ≫ Mbed Tls Version >= 3.5.0 <= 3.6.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.13%	0.328

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-326 Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Vendor Advisory

https://github.com/Mbed-TLS/mbedtls/releases/tag/v3.6.0

Release Notes

https://github.com/hey3e

Not Applicable

https://hey3e.github.io

Not Applicable

https://nvd.nist.gov/vuln/detail/CVE-2024-28755

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-28755

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-28755

EUVD