CVE-2018-0497

Name
CVE-2018-0497
Description
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mitigation https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
Third Party Advisory https://www.debian.org/security/2018/dsa-4296
Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html
UBUNTU https://usn.ubuntu.com/4267-1/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.2.0 < 2.7.5
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= None < 2.1.14
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.8.0 < 2.12.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status