Lucene search

INCDCVELIST:CVE-2024-38433

HistoryJul 11, 2024 - 7:50 a.m.

CVE-2024-38433 Nuvoton - CWE-305: Authentication Bypass by Primary Weakness

2024-07-1107:50:45

CWE-305

INCD

www.cve.org

cve-2024-38433

nuvoton

authentication bypass

spi-flash

npcm7xx

bmc subsystem

u-boot image

arbitrary code execution

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.3%

JSON

Nuvoton - CWE-305: Authentication Bypass by Primary Weakness

An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock

reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code

execution.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "NPCM7xx (Poleg) BootBlock",
    "vendor": "Nuvoton",
    "versions": [
      {
        "lessThan": "v10.10.19",
        "status": "affected",
        "version": "All versions",
        "versionType": "custom"
      }
    ]
  }
]

References

www.gov.il/en/Departments/faq/cve_advisories

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.3%

JSON

Related for CVELIST:CVE-2024-38433