CVE-2018-19608

Name
CVE-2018-19608
Description
Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
Third Party Advisory https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
Third Party Advisory http://cat.eyalro.net/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.7.0 < 2.7.8
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.1.0 < 2.1.17
cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* mbed_tls >= 2.14.0 < 2.14.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
mbedtls2 edge-community 2.14.1-r0 None fixed
mbedtls2 3.22-community 2.14.1-r0 None fixed
mbedtls2 3.21-community 2.14.1-r0 None fixed
mbedtls2 3.20-community 2.14.1-r0 None fixed
mbedtls edge-main 2.14.1-r0 None fixed
mbedtls 3.22-main 2.14.1-r0 None fixed
mbedtls 3.21-main 2.14.1-r0 None fixed
mbedtls 3.20-main 2.14.1-r0 None fixed
mbedtls 3.19-main 2.14.1-r0 None fixed
mbedtls 3.18-main 2.14.1-r0 None fixed
mbedtls 3.17-main 2.14.1-r0 None fixed
mbedtls 3.12-main 2.14.1-r0 None fixed
mbedtls 3.11-main 2.14.1-r0 None fixed
mbedtls 3.10-main 2.14.1-r0 None fixed