Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
384
VMScore

CVE-2018-0497

Published: 28/07/2018 Updated: 10/02/2020
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Mbed Tls

Vulnerability Summary

ARM mbed TLS prior to 2.12.0, prior to 2.7.5, and prior to 2.1.14 allows remote malicious users to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

arm mbed tls

debian debian linux 8.0

debian debian linux 9.0

Vendor Advisories

Debian CVElist Bug Report Logs: mbedtls: CVE-2018-0497, CVE-2018-0498: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
Debian Bug report logs - #904821 mbedtls: CVE-2018-0497, CVE-2018-0498: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel Package: src:mbedtls; Maintainer for src:mbedtls is James Cowgill <jcowgill@debianorg>; Reported by: James Cowgill <jcowgill@debianorg> Date: Sat, 28 Jul 20 ...
Ubuntu Security Notice: mbedtls vulnerabilities
Several security issues were fixed in mbedtls ...
Debian Security Advisories: DSA-4296-1 mbedtls -- security update
Two vulnerabilities were discovered in mbedtls, a lightweight crypto and SSL/TLS library which could result in plain text recovery via side-channel attacks For the stable distribution (stretch), these problems have been fixed in version 242-1+deb9u3 We recommend that you upgrade your mbedtls packages For the detailed security status of mbedtls ...
Arch Linux Issues:
A remote plaintext recovery security issue has been found in Mbed TLS before 2120, 275 or 2114, when using a CBC based ciphersuite To be able to mount an attack, the attacker has to be able to observe and manipulate network packets and, for TLS, to be able to generate multiple sessions where the same plaintext is sent For DTLS a single sess ...

References

NVD-CWE-noinfohttps://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02https://www.debian.org/security/2018/dsa-4296https://lists.debian.org/debian-lts-announce/2018/09/msg00029.htmlhttps://usn.ubuntu.com/4267-1/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=904821https://usn.ubuntu.com/4267-1/https://nvd.nist.gov
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-3400deserializationCVE-2024-21788CVE-2023-42433CVE-2024-21841CVE-2024-22095local file inclusionmemory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook