7.5

CVE-2023-24826

EPSS 0.26%
Veröffentlicht 30.05.2023 17:15:09
Zuletzt bearbeitet 21.11.2024 07:48:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. Prior to version 2023.04, an attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service. This issue is fixed in version 2023.04. As a workaround, disable fragment forwarding or SFR.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Riot-os ≫ Riot Version < 2023.04

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.26%	0.487

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-824 Access of Uninitialized Pointer

The product accesses or uses a pointer that has not been initialized.

https://github.com/RIOT-OS/RIOT/blob/ccbb304eae7b59e8aca24a6ffd095b5b3f7720ee/sys/net/gnrc/network_layer/sixlowpan/frag/sfr/gnrc_sixlowpan_frag_sfr.c#L402

Product

https://github.com/RIOT-OS/RIOT/blob/ccbb304eae7b59e8aca24a6ffd095b5b3f7720ee/sys/net/gnrc/network_layer/sixlowpan/frag/sfr/gnrc_sixlowpan_frag_sfr.c#L420

Product

https://github.com/RIOT-OS/RIOT/commit/287f030af20e829469cdf740606148018a5a220d

Patch

https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-xfj4-9g7w-f4gh

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-24826

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-24826

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-24826

EUVD