CVE-2015-8036 — Improper Restriction of Operations within the Bounds of a Memory Buffer in ARM Mbed TLS
CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer14 documents6 sources
Severity
6.8MEDIUMNVD
EPSS
1.4%
top 19.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 2
Latest updateMay 14
Description
Heap-based buffer overflow in ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long session ticket name to the session ticket extension, which is not properly handled when creating a ClientHello message to resume a session. NOTE: this identifier was SPLIT from CVE-2015-5291 per ADT3 due to different affected version ranges.
CVSS vector
AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4
Affected Packages5 packages
Also affects: Debian Linux 7.0, 8.0, Fedora 21, 22, 23
🔴Vulnerability Details
6GHSA
▶
📋Vendor Advisories
2💬Community
4Bugzilla▶
CVE-2015-5291 CVE-2015-8036 polarssl: mbedtls: crash or remote code execution on clients using session tickets or SNI↗2015-10-09
Bugzilla▶
CVE-2015-5291 CVE-2015-8036 polarssl: mbedtls: crash or remote code execution on clients using session tickets or SNI [fedora-all]↗2015-10-09
Bugzilla▶
CVE-2015-5291 CVE-2015-8036 polarssl: mbedtls: crash or remote code execution on clients using session tickets or SNI [fedora-all]↗2015-10-09
Bugzilla▶
CVE-2015-5291 CVE-2015-8036 polarssl: mbedtls: crash or remote code execution on clients using session tickets or SNI [epel-all]↗2015-10-09