CVE-2024-8443

2024-09-1014:15:13

CWE-122

CWE-787

[email protected]

web.nvd.nist.gov

heap-based buffer overflow

libopensc

openpgp driver

usb device

smart card

apdus

card enrollment

pkcs15-init

out-of-bound rights

arbitrary code execution

CVSS3

2.9

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS

Percentile

13.4%

JSON

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the pkcs15-init tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

Affected configurations

Nvd

Node

opensc_projectopenscMatch-

Node

redhatenterprise_linuxMatch7.0

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

VendorProductVersionCPE
opensc_projectopensc-cpe:2.3:a:opensc_project:opensc:-:*:*:*:*:*:*:*
redhatenterprise_linux7.0cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhatenterprise_linux8.0cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
redhatenterprise_linux9.0cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
opensc_project	opensc	-	cpe:2.3:a:opensc_project:opensc:-:::::::*
redhat	enterprise_linux	7.0	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux	9.0	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*