CVE-2024-28960Improper Access Control in ARM Mbed TLS

CWE-284Improper Access ControlCWE-653Improper Isolation or Compartmentalization7 documents7 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 64.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Mbed MbedtlsARM Mbed TLSARM Mbed Crypto+1 more
Timeline
PublishedMar 29

Description

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages3 packages

NVDarm/mbed_crypto3.1.0
NVDarm/mbed_tls2.1.82.28.8+1
Debianmbed/mbedtls< 2.28.8-1+1

Also affects: Fedora 38, 39, 40

🔴Vulnerability Details

3
GHSA
GHSA-6h48-8w2f-5w94: An issue was discovered in Mbed TLS 22024-03-29
CVEList
CVE-2024-28960: An issue was discovered in Mbed TLS 22024-03-29
OSV
CVE-2024-28960: An issue was discovered in Mbed TLS 22024-03-29

📋Vendor Advisories

3
Red Hat
mbedtls: Insecure handling of shared memory in PSA Crypto APIs2024-03-29
Microsoft
An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0 and Mbed Crypto. The PSA Crypto API mishandles shared memory.2024-03-12
Debian
CVE-2024-28960: mbedtls - An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x ...2024
CVE-2024-28960 — Improper Access Control in ARM | cvebase