CVE-2024-45157

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.1 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CISA-ADPADP
5.1 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
VendorProductVersion
armmbed_tls
2.26.0 ≤
𝑥
< 2.28.9
armmbed_tls
3.2.0 ≤
𝑥
< 3.6.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mbedtls
bullseye
unimportant
bullseye (security)
unimportant
bookworm
unimportant
trixie
unimportant
sid
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mbedtls
plucky
needs-triage
oracular
ignored
noble
needs-triage
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage