CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
5.1%
Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow
compromise key generation, certificate loading, and other card management operations during enrollment.
Vendor | Product | Version | CPE |
---|---|---|---|
opensc_project | opensc | * | cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:* |
redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
redhat | enterprise_linux | 9.0 | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |
[
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "opensc",
"defaultStatus": "affected",
"versions": [
{
"version": "0:0.20.0-7.el8_9",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/o:redhat:enterprise_linux:8::baseos"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "opensc",
"defaultStatus": "affected",
"versions": [
{
"version": "0:0.23.0-3.el9_3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/o:redhat:enterprise_linux:9::baseos"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "opensc",
"defaultStatus": "unknown",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
]
}
]
access.redhat.com/errata/RHSA-2023:7876
access.redhat.com/errata/RHSA-2023:7879
access.redhat.com/security/cve/CVE-2023-40661
bugzilla.redhat.com/show_bug.cgi?id=2240913
github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories