CVE-2020-36478

An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 LTS and before 2.7.18 LTS). A NULL algorithm parameters entry looks identical to an array of REAL (size zero) and thus the certificate is considered valid. However, if the parameters do not match in any way, then the certificate should be considered invalid.

References

Affected packages

Git / github.com/mbed-tls/mbedtls

Affected ranges

Type: GIT
Repo: https://github.com/mbed-tls/mbedtls
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1c54b5410fd48d6bcada97e30cac417c5c7eea67

Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3fac0bae4a50113989b3d015cd2d948f51a6d9ac

Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

78d9663acec4ac72af43e2db57fc73a24e856108

Introduced

3f8d78411a26e833db18d9fbde0e2f0baeda87f0

Fixed

1c54b5410fd48d6bcada97e30cac417c5c7eea67

Introduced

8be0e6db41b4a085e90cb03983f99d3a5158d450

Fixed

3fac0bae4a50113989b3d015cd2d948f51a6d9ac

Affected versions

mbedtls-2.*

mbedtls-2.10.0

mbedtls-2.11.0

mbedtls-2.12.0

mbedtls-2.13.0

mbedtls-2.13.1

mbedtls-2.14.0

mbedtls-2.16.0

mbedtls-2.16.1

mbedtls-2.16.2

mbedtls-2.16.3

mbedtls-2.16.4

mbedtls-2.16.5

mbedtls-2.16.6

mbedtls-2.16.7

mbedtls-2.16.8

mbedtls-2.17.0

mbedtls-2.18.0

mbedtls-2.19.0

mbedtls-2.19.0d1

mbedtls-2.19.0d2

mbedtls-2.19.1

mbedtls-2.20.0

mbedtls-2.20.0d0

mbedtls-2.20.0d1

mbedtls-2.21.0

mbedtls-2.22.0

mbedtls-2.22.0d0

mbedtls-2.23.0

mbedtls-2.24.0

mbedtls-2.8.0

mbedtls-2.9.0

v2.*

v2.16.7

v2.16.8

v2.23.0

v2.24.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-36478.json"