cbcvebase.
CVE-2020-16150
published 2020-09-02

CVE-2020-16150: A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret…

PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EPSS
0.37%
28.7th percentile
A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/ssl_msg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length.

Affected

12 ranges
VendorProductVersion rangeFixed in
armmbed_tls< 2.7.172.7.17
armmbed_tls>= 2.17.0 < 2.24.02.24.0
armmbed_tls>= 2.8.0 < 2.16.82.16.8
debiandebian_linux
debianmbedtls< mbedtls 2.16.9-0.1 (bookworm)mbedtls 2.16.9-0.1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
mbedmbedtls>= 0 < 2.16.9-0.12.16.9-0.1
mbedmbedtls>= 0 < 2.16.9-0.12.16.9-0.1
mbedmbedtls>= 0 < 2.16.9-0.12.16.9-0.1
mbedmbedtls>= 0 < 2.16.9-0.12.16.9-0.1

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
osv5.5MEDIUM
vendor_debian5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.