CVE-2020-36477
Summary
| CVE | CVE-2020-36477 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-08-23 02:15:00 UTC |
| Updated | 2023-01-13 19:59:00 UTC |
| Description | An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though). |
Risk And Classification
Problem Types: CWE-295
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Mbed TLS: Multiple Vulnerabilities (GLSA 202301-08) — Gentoo security | GENTOO | security.gentoo.org | |
| Release Mbed TLS 2.24.0 · ARMmbed/mbedtls · GitHub | MISC | github.com | |
| Erroneous handling of IP address SANs · Issue #3498 · ARMmbed/mbedtls · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710702 Gentoo Linux Mbed Transport Layer Security (TLS) Multiple Vulnerabilities (GLSA 202301-08)