CyberSec.Space Logo
CVEブラウザに戻る

CVE-2018-0488

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1860%
EPSS Percentile22.04th
Published2018年2月13日
Last Modified2024年11月21日

Vulnerability Description

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

Affected Platforms (CPE)

📦
Arm

Mbed Tls

>= 1.3.0 and < 1.3.22
📦
Arm

Mbed Tls

>= 2.1.0 and < 2.1.10
📦
Arm

Mbed Tls

>= 2.2.0 and < 2.7.0
💻
Debian

Debian Linux

= 8.0
💻
Debian

Debian Linux

= 9.0

References & Advisories

🔗 http://www.securityfocus.com/bid/103057
🔗 https://security.gentoo.org/glsa/201804-19
🔗 https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
🔗 https://usn.ubuntu.com/4267-1/
🔗 https://www.debian.org/security/2018/dsa-4138
🔗 https://www.debian.org/security/2018/dsa-4147
🔗 http://www.securityfocus.com/bid/103057
🔗 https://security.gentoo.org/glsa/201804-19

関連する脆弱性情報

CVE-2021-447329.8

Mbed TLS before 3.0.1 has a double free in certain out-of-memory conditions, as demonstrated by an mbedtls_ssl_set_session() failu...

CVE-2018-04879.8

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of...

CVE-2017-181879.8

In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_...

CVE-2022-463939.8

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-b...