CVE-2020-10941Missing Encryption of Sensitive Data in ARM Mbed Crypto

CWE-311Missing Encryption of Sensitive Data9 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.7%
top 27.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Mbed MbedtlsARM Mbed CryptoARM Mbed TLS+2 more
Timeline
PublishedMar 24
Latest updateMay 24

Description

Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

NVDarm/mbed_tls< 2.16.5
NVDarm/mbed_crypto< 3.1.0
Debianmbed/mbedtls< 2.16.5-1+3

Also affects: Debian Linux 10.0, Fedora 31, 32

🔴Vulnerability Details

3
GHSA
GHSA-3qrr-m24q-j9qm: Arm Mbed TLS before 22022-05-24
CVEList
CVE-2020-10941: Arm Mbed TLS before 22020-03-24
OSV
CVE-2020-10941: Arm Mbed TLS before 22020-03-24

📋Vendor Advisories

2
Microsoft
Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an RSA private key) by measuring cache usage during an import.2020-03-10
Debian
CVE-2020-10941: mbedtls - Arm Mbed TLS before 2.16.5 allows attackers to obtain sensitive information (an ...2020

💬Community

3
Bugzilla
CVE-2020-10941 mbedtls: cache attack against RSA key import in SGX2020-06-29
Bugzilla
CVE-2020-10941 mbedtls: cache attack against RSA key import in SGX [epel-all]2020-06-29
Bugzilla
CVE-2020-10941 mbedtls: cache attack against RSA key import in SGX [fedora-all]2020-06-29
CVE-2020-10941 — Missing Encryption of Sensitive Data | cvebase