Vulnerability in Mbed TLS Affects TLS Version Negotiation
CVE-2023-52353

7.5HIGH

Key Information:

Vendor
Arm
Status
Mbed Tls
Vendor
CVE Published:
21 January 2024

Summary

An identified issue in Mbed TLS, particularly affecting version 3.5.1, revolves around the mishandling of the maximum negotiable TLS version during SSL session resets. When a connection negotiated TLS 1.2, this version inadvertently becomes the new maximum, potentially undermining expected security configurations. This vulnerability impacts secure communication protocols, highlighting the need for careful version management and vigilance in cryptographic implementations.

References

https://github.com/Mbed-TLS/mbedtls/issues/8654

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.