CVE-2018-0487

Name
CVE-2018-0487
Description
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mitigation https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
Third Party Advisory http://www.securityfocus.com/bid/103056
Third Party Advisory https://www.debian.org/security/2018/dsa-4138
Third Party Advisory https://www.debian.org/security/2018/dsa-4147
Third Party Advisory https://security.gentoo.org/glsa/201804-19
UBUNTU https://usn.ubuntu.com/4267-1/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.1.0 < 2.1.10
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.2.0 < 2.7.0
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 1.3.8 < 1.3.22

Vulnerable and fixed packages

Source package Branch Version Maintainer Status