CVE-2024-1454

EPSS 0.08%
Veröffentlicht 12.02.2024 23:15:08
Zuletzt bearbeitet 21.11.2024 08:50:37
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operations during enrolment.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensc Project ≫ Opensc Version < 0.25.0

Fedoraproject ≫ Fedora Version38

Fedoraproject ≫ Fedora Version39

Fedoraproject ≫ Fedora Version40

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Enterprise Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.244

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.4	0.4	2.7	CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
secalert@redhat.com	3.4	0.4	2.7	CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OWIZ5ZLO5ECYPLSTESCF7I7PQO5X6ZSU/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJI2FWLY24EOPALQ43YPQEZMEP3APPPI/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UECKC7X4IM4YZQ5KRQMNBNKNOXLZC7RZ/

https://access.redhat.com/security/cve/CVE-2024-1454

Third Party Advisory

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64898

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2263929

Third Party Advisory

Issue Tracking

https://github.com/OpenSC/OpenSC/commit/5835f0d4f6c033bd58806d33fa546908d39825c9

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-1454

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1454

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1454

EUVD