Lucene search

[email protected]CVE-2023-26084

HistoryMar 15, 2023 - 2:15 p.m.

CVE-2023-26084

2023-03-1514:15:11

CWE-665

[email protected]

web.nvd.nist.gov

arm aarch64cryptolib

api

authentication tag

aes-gcm

man-in-the-middle attack

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

26.1%

JSON

The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c6 fails to the verify the authentication tag of AES-GCM protected data, leading to a man-in-the-middle attack. This occurs because of an improperly initialized variable.

CPENameOperatorVersion
arm:aarch64cryptolibarm aarch64cryptoliblt2023-02-20
arm:aarch64cryptolibarm aarch64cryptolibeq-

CPE	Name	Operator	Version
arm:aarch64cryptolib	arm aarch64cryptolib	lt	2023-02-20
arm:aarch64cryptolib	arm aarch64cryptolib	eq	-

References

github.com/ARM-software/AArch64cryptolib/security/advisories/GHSA-47c6-7x5x-r74g

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

4.5 Medium

AI Score

Confidence

High

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:H/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

26.1%

JSON

Related for CVE-2023-26084

prion1