CVE-2018-0488

critical

Description

ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

References

https://www.debian.org/security/2018/dsa-4147

https://www.debian.org/security/2018/dsa-4138

https://usn.ubuntu.com/4267-1/

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

https://security.gentoo.org/glsa/201804-19

http://www.securityfocus.com/bid/103057

Details

Source: Mitre, NVD

Published: 2018-02-13

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical