Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
605
VMScore

CVE-2017-2784

Published: 20/04/2017 Updated: 19/04/2022
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 605
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Mbed Tls

Vulnerability Summary

An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS prior to 1.3.19, 2.x prior to 2.1.7, and 2.4.x prior to 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

arm mbed tls 2.1.4

arm mbed tls 2.1.5

arm mbed tls 2.1.6

arm mbed tls 2.1.2

arm mbed tls 2.1.3

arm mbed tls 2.4.0

arm mbed tls 2.0.0

arm mbed tls

arm mbed tls 2.1.0

arm mbed tls 2.1.1

Vendor Advisories

Debian CVElist Bug Report Logs: mbedtls: CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
Debian Bug report logs - #857560 mbedtls: CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve Package: libmbedcrypto0; Maintainer for libmbedcrypto0 is James Cowgill <jcowgill@debianorg>; Source for libmbedcrypto0 is src:mbedtls (PTS, buildd, popcon) Reported by: James Cow ...
Arch Linux Issues:
A security issue has been found in mbed TLS < 242 If a malicious peer supplies a certificate with a specially crafted secp224k1 public key, then an attacker can cause the server or client to attempt to free block of memory held on stack Depending on the platform, this could result in a Denial of Service (client crash) or potentially could be ...

References

CWE-295https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01http://www.talosintelligence.com/reports/TALOS-2017-0274/https://security.gentoo.org/glsa/201706-18https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857560https://nvd.nist.govhttps://security.archlinux.org/CVE-2017-2784
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook