CVE-2024-28755

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-28755
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-28755.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-28755
Published
2024-04-03T03:15:10Z
Modified
2024-06-06T12:27:23.788530Z
Summary
[none]
Details

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtlssslsession_reset() API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection, potentially resulting in a Denial of Service or forced version downgrade from TLS 1.3 to TLS 1.2.

References

Affected packages

Git / github.com/mbed-tls/mbedtls

Affected ranges

Type
GIT
Repo
https://github.com/mbed-tls/mbedtls
Events

Affected versions

mbedtls-3.*

mbedtls-3.5.0
mbedtls-3.5.1
mbedtls-3.5.2

v3.*

v3.5.0
v3.5.1
v3.5.2