CVE-2023-4535

2023-11-0617:15:12

Debian Security Bug Tracker

security-tracker.debian.org

opensc

myeid

unauthorized access

sensitive data

usb device

vulnerability

4.5 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

6.2 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

24.9%

JSON

An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system’s security.

OSVersionArchitecturePackageVersionFilename
Debian12allopensc< 0.23.0-0.3+deb12u1opensc_0.23.0-0.3+deb12u1_all.deb
Debian11allopensc< 0.21.0-1opensc_0.21.0-1_all.deb
Debian10allopensc< 0.19.0-1+deb10u1opensc_0.19.0-1+deb10u1_all.deb
Debian999allopensc< 0.23.0-2opensc_0.23.0-2_all.deb
Debian13allopensc< 0.23.0-2opensc_0.23.0-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	opensc	< 0.23.0-0.3+deb12u1	opensc_0.23.0-0.3+deb12u1_all.deb
Debian	11	all	opensc	< 0.21.0-1	opensc_0.21.0-1_all.deb
Debian	10	all	opensc	< 0.19.0-1+deb10u1	opensc_0.19.0-1+deb10u1_all.deb
Debian	999	all	opensc	< 0.23.0-2	opensc_0.23.0-2_all.deb
Debian	13	all	opensc	< 0.23.0-2	opensc_0.23.0-2_all.deb