JLSEC-2025-212

See a problem?
Please try reporting it to the source first.
Source
https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2025/JLSEC-2025-212.md
Import Source
https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-212.json
JSON Data
https://api.test.osv.dev/v1/vulns/JLSEC-2025-212
Upstream
Published
2025-11-21T15:59:04.054Z
Modified
2025-11-21T16:20:56.093339Z
Summary
An issue was discovered in Mbed TLS before 2.24.0
Details

An issue was discovered in Mbed TLS before 2.24.0. The verification of X.509 certificates when matching the expected common name (the cn argument of mbedtlsx509crt_verify) with the actual certificate name is mishandled: when the subjecAltName extension is present, the expected name is compared to any name in that extension regardless of its type. This means that an attacker could impersonate a 4-byte or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 address (this would require the attacker to control that IP address, though).

Database specific 
{
    "sources": [
        {
            "modified": "2024-11-21T05:29:38.067Z",
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36477",
            "published": "2021-08-23T02:15:07.043Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2020-36477",
            "imported": "2025-11-20T23:04:00.327Z",
            "id": "CVE-2020-36477"
        }
    ],
    "license": "CC-BY-4.0"
}
References

Affected packages

Julia / MbedTLS_jll

Package

Name
MbedTLS_jll
Purl
pkg:julia/MbedTLS_jll?uuid=c8ffd9c3-330d-5841-b78e-0817d7145fa1

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.24.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2025/JLSEC-2025-212.json"