CVE-2023-40546

2024-01-2917:15:08

CWE-476

[email protected]

web.nvd.nist.gov

shim

esl variable

error message

logging function

crash

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

29.5%

JSON

A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an error message to the user; however, the number of parameters used by the logging function doesn’t match the format string used by it, leading to a crash under certain circumstances.

Affected configurations

Nvd

Node

redhatshimRange<15.8

Node

fedoraprojectfedoraMatch39

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

VendorProductVersionCPE
redhatshim*cpe:2.3:a:redhat:shim:*:*:*:*:*:*:*:*
fedoraprojectfedora39cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatenterprise_linux9.0cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	shim	*	cpe:2.3:a:redhat:shim::::::::
fedoraproject	fedora	39	cpe:2.3:o:fedoraproject:fedora:39:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux	9.0	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*