Vulnerability Description
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arm | Mbed Tls | < 2.7.17 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8Release NotesThird Party Advisory
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0Release NotesThird Party Advisory
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00021.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8Release NotesThird Party Advisory
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0Release NotesThird Party Advisory
- https://github.com/ARMmbed/mbedtls/releases/tag/v2.7.17Release NotesThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/11/msg00021.htmlMailing ListThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/12/msg00036.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2020-36476?
CVE-2020-36476 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data ...
How severe is CVE-2020-36476?
CVE-2020-36476 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36476?
Check the references section above for vendor advisories and patch information. Affected products include: Arm Mbed Tls, Debian Debian Linux.