Lucene search

K
cve[email protected]CVE-2023-2977
HistoryJun 01, 2023 - 1:15 a.m.

CVE-2023-2977

2023-06-0101:15:17
CWE-119
CWE-125
web.nvd.nist.gov
53
opensc
pkcs15
buffer overrun
vulnerability
cve-2023-2977
security flaw
asn1
smart card
asan

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

Affected configurations

Vulners
NVD
Node
opensc-projectopenscRange0.23.0
VendorProductVersionCPE
opensc\-projectopensc*cpe:2.3:a:opensc\-project:opensc:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "OpenSC",
    "versions": [
      {
        "version": "opensc-0.23.0",
        "status": "affected"
      }
    ]
  }
]

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

6.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

5.1%