CVE-2024-45620

2024-09-0322:15:05

Debian Security Bug Tracker

security-tracker.debian.org

vulnerability

pkcs15-init tool

opensc

usb device

smart card

apdus

buffer access

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

22.3%

JSON

A vulnerability was found in the pkcs15-init tool in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.

OSVersionArchitecturePackageVersionFilename
Debian12allopensc<= 0.23.0-0.3+deb12u1opensc_0.23.0-0.3+deb12u1_all.deb
Debian11allopensc<= 0.21.0-1opensc_0.21.0-1_all.deb
Debian999allopensc<= 0.25.1-2opensc_0.25.1-2_all.deb
Debian13allopensc<= 0.25.1-2opensc_0.25.1-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	opensc	<= 0.23.0-0.3+deb12u1	opensc_0.23.0-0.3+deb12u1_all.deb
Debian	11	all	opensc	<= 0.21.0-1	opensc_0.21.0-1_all.deb
Debian	999	all	opensc	<= 0.25.1-2	opensc_0.25.1-2_all.deb
Debian	13	all	opensc	<= 0.25.1-2	opensc_0.25.1-2_all.deb