CVE-2018-19608 — Improper Privilege Management in ARM Mbed TLS

CWE-269 — Improper Privilege Management8 documents6 sources

Severity

4.7MEDIUMNVD

EPSS

0.2%

top 52.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mbed Mbedtls ARM Mbed TLS

Timeline

PublishedDec 5

Latest updateMay 13

Description

Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unprivileged attacker to recover the plaintext of RSA decryption, which is used in RSA-without-(EC)DH(E) cipher suites.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages2 packages

▶NVDarm/mbed_tls2.1.0 — 2.1.17+2

▶Debianmbed/mbedtls< 2.14.1-1+3

🔴Vulnerability Details

GHSA

GHSA-vqf5-9m3g-rhvm: Arm Mbed TLS before 2↗2022-05-13

▶

OSV

CVE-2018-19608: Arm Mbed TLS before 2↗2018-12-05

▶

CVEList

CVE-2018-19608: Arm Mbed TLS before 2↗2018-12-05

▶

📋Vendor Advisories

Debian

CVE-2018-19608: mbedtls - Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a local unpri...↗2018

▶

💬Community

Bugzilla

CVE-2018-19608 mbedtls: Local timing attack on RSA decryption [fedora-all]↗2018-12-06

▶

Bugzilla

CVE-2018-19608 mbedtls: Local timing attack on RSA decryption [epel-all]↗2018-12-06

▶

Bugzilla

CVE-2018-19608 mbedtls: Local timing attack on RSA decryption↗2018-12-06

▶