Lucene search

K

GoogleOSV:CVE-2023-45232

HistoryJan 16, 2024 - 4:15 p.m.

CVE-2023-45232

2024-01-1616:15:12

Google

osv.dev

13

edk2

network package

infinite loop

vulnerability

parsing

ipv6

destination options

attacker

unauthorized access

availability

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.005

Percentile

76.7%

EDK2’s Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This
vulnerability can be exploited by an attacker to gain unauthorized
access and potentially lead to a loss of Availability.

References

packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html

www.openwall.com/lists/oss-security/2024/01/16/2

github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h

lists.fedoraproject.org/archives/list/[email protected]/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/

security.netapp.com/advisory/ntap-20240307-0011/

CVSS3

8.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.005

Percentile

76.7%

Related for OSV:CVE-2023-45232

nessus46 osv19 thn1 openvas6 amazon1 cert1 redhat20 redos1 oraclelinux11 debian1 rocky2 ubuntu1 fedora1 almalinux6 ubuntucve9 redhatcve9 cbl_mariner23 cvelist7 debiancve6 cve7 nvd7 prion7 alpinelinux7