Mbed TLS Vulnerability in SSL Read Function by ARM
CVE-2020-36476

7.5HIGH

Key Information:

Vendor: Arm
Status: Mbed Tls
Vendor: CVE Published:; 23 August 2021

Summary

An issue in Mbed TLS prior to version 2.24.0, as well as pre-release 2.16.8 LTS and 2.7.17 LTS, exposes an application data security risk. The vulnerability arises from insufficient zeroization of plaintext buffers in the mbedtls_ssl_read function, leading to potential information leakage of sensitive data remnants from memory. This flaw emphasizes the importance of proper memory management to ensure data confidentiality.

References

https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17

https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 23, 2021
Vulnerability Reserved
Aug 23, 2021