CVE-2017-14032 — Improper Authentication in ARM Mbed TLS

CWE-287 — Improper Authentication8 documents6 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 77.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS

Timeline

PublishedAug 30

Latest updateMay 17

Description

ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶Debianmbed/mbedtls< 2.6.0-1+3

▶NVDarm/mbed_tls30 versions+29

Patches

Patch: bugs.debian.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-6v28-r64j-r4w6: ARM mbed TLS before 1↗2022-05-17

▶

OSV

CVE-2017-14032: ARM mbed TLS before 1↗2017-08-30

▶

CVEList

CVE-2017-14032: ARM mbed TLS before 1↗2017-08-30

▶

📋Vendor Advisories

Debian

CVE-2017-14032: mbedtls - ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is c...↗2017

▶

💬Community

Bugzilla

CVE-2017-14032 mbedtls: Bypass peer authentication [fedora-all]↗2017-08-31

▶

Bugzilla

CVE-2017-14032 mbedtls: Bypass peer authentication↗2017-08-31

▶

Bugzilla

CVE-2017-14032 mbedtls: Bypass peer authentication [epel-all]↗2017-08-31

▶