Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.
Weakness
The product initializes or sets a resource with a default that is intended to be changed by the product’s installer, administrator, or maintainer, but the default is not secure.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mbed_tls | Arm | * | 2.28.10 (excluding) |
| Mbed_tls | Arm | 3.0.0 (including) | 3.6.3 (excluding) |
| Mbedtls | Ubuntu | devel | * |
| Mbedtls | Ubuntu | esm-apps/bionic | * |
| Mbedtls | Ubuntu | esm-apps/focal | * |
| Mbedtls | Ubuntu | esm-apps/jammy | * |
| Mbedtls | Ubuntu | esm-apps/noble | * |
| Mbedtls | Ubuntu | esm-apps/xenial | * |
| Mbedtls | Ubuntu | focal | * |
| Mbedtls | Ubuntu | jammy | * |
| Mbedtls | Ubuntu | noble | * |
| Mbedtls | Ubuntu | oracular | * |
| Mbedtls | Ubuntu | plucky | * |
| Mbedtls | Ubuntu | questing | * |
| Mbedtls | Ubuntu | upstream | * |