Description
ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentication is configured, allows remote attackers to bypass peer authentication via an X.509 certificate chain with many intermediates. NOTE: although mbed TLS was formerly known as PolarSSL, the releases shipped with the PolarSSL name are not affected.
References (5)
Core 5
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3967
Vendor Advisory x_refsource_confirm
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugs.debian.org/873557
Scores
CVSS v3
8.1
EPSS
0.0008
EPSS Percentile
22.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (30)
arm/mbed_tls
1.3.10
arm/mbed_tls
1.3.11
arm/mbed_tls
1.3.12
arm/mbed_tls
1.3.13
arm/mbed_tls
1.3.14
arm/mbed_tls
1.3.15
arm/mbed_tls
1.3.16
arm/mbed_tls
1.3.17
arm/mbed_tls
1.3.18
arm/mbed_tls
1.3.19
... and 20 more
Published
Aug 30, 2017
Tracked Since
Feb 18, 2026