CVE-2024-45157
low-risk
Published 2024-09-05
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
Do I need to act?
-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.1/10
Medium
LOCAL
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (3)
Release Notes
https://github.com/Mbed-TLS/mbedtls/releases/
Vendor Advisory
https://mbed-tls.readthedocs.io/en/latest/security-advisories/
19
/ 100
low-risk
Severity
13/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal