CVE-2017-2784 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-2784 Interim 1 15 2023-12-09T01:09:43Z current 2021-05-30T13:50:23Z 2023-12-09T01:09:43Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-2784 An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WRIPVQ2ATMWAEIYYJETVM2L3IO7IWKFA/#WRIPVQ2ATMWAEIYYJETVM2L3IO7IWKFA E-Mail link for openSUSE-SU-2017:0790-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FAMN75AB4YE4LABPQEYS2NAM6F32VCFZ/#FAMN75AB4YE4LABPQEYS2NAM6F32VCFZ E-Mail link for openSUSE-SU-2017:0792-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 12 openSUSE Tumbleweed libmbedcrypto7-2.27.0-1.2 libmbedcrypto7-32bit-2.27.0-1.2 libmbedtls13-2.27.0-1.2 libmbedtls13-32bit-2.27.0-1.2 libmbedtls9-1.3.19-5.1 libmbedx509-1-2.27.0-1.2 libmbedx509-1-32bit-2.27.0-1.2 mbedtls-devel-1.3.19-5.1 mbedtls-devel-2.27.0-1.2 libmbedtls9-1.3.19-5.1 as a component of SUSE Package Hub 12 mbedtls-devel-1.3.19-5.1 as a component of SUSE Package Hub 12 libmbedcrypto7-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedcrypto7-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedtls13-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedtls13-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedx509-1-2.27.0-1.2 as a component of openSUSE Tumbleweed libmbedx509-1-32bit-2.27.0-1.2 as a component of openSUSE Tumbleweed mbedtls-devel-2.27.0-1.2 as a component of openSUSE Tumbleweed An exploitable free of a stack pointer vulnerability exists in the x509 certificate parsing code of ARM mbed TLS before 1.3.19, 2.x before 2.1.7, and 2.4.x before 2.4.2. A specially crafted x509 certificate, when parsed by mbed TLS library, can cause an invalid free of a stack pointer leading to a potential remote code execution. In order to exploit this vulnerability, an attacker can act as either a client or a server on a network to deliver malicious x509 certificates to vulnerable applications. CVE-2017-2784 SUSE Package Hub 12:libmbedtls9-1.3.19-5.1 SUSE Package Hub 12:mbedtls-devel-1.3.19-5.1 openSUSE Tumbleweed:libmbedcrypto7-2.27.0-1.2 openSUSE Tumbleweed:libmbedcrypto7-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-2.27.0-1.2 openSUSE Tumbleweed:libmbedtls13-32bit-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-2.27.0-1.2 openSUSE Tumbleweed:libmbedx509-1-32bit-2.27.0-1.2 openSUSE Tumbleweed:mbedtls-devel-2.27.0-1.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H