CVE-2020-36476Improper Removal of Sensitive Information Before Storage or Transfer in ARM Mbed TLS

CWE-212Improper Removal of Sensitive Information Before Storage or TransferCWE-668Resource Exposure6 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.7%
top 28.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Mbed MbedtlsARM Mbed TLSDebian Linux
Timeline
PublishedAug 23
Latest updateMay 24

Description

An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data from memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDarm/mbed_tls2.8.02.16.8+2
Debianmbed/mbedtls< 2.16.9-0.1+3

Also affects: Debian Linux 10.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-gmh5-5f53-3929: An issue was discovered in Mbed TLS before 22022-05-24
OSV
CVE-2020-36476: An issue was discovered in Mbed TLS before 22021-08-23
CVEList
CVE-2020-36476: An issue was discovered in Mbed TLS before 22021-08-23

📋Vendor Advisories

2
Microsoft
An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and before 2.7.17 LTS). There is missing zeroization of plaintext buffers in mbedtls_ssl_read to erase unused application data 2021-08-10
Debian
CVE-2020-36476: mbedtls - An issue was discovered in Mbed TLS before 2.24.0 (and before 2.16.8 LTS and bef...2020
CVE-2020-36476 — ARM Mbed TLS vulnerability | cvebase