CVE-2023-4535
Public on 2023-10-06
Modified on 2024-02-12
Description
Out-of-bounds read in MyEID driver handling encryption using symmetric keys
This issue require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.
This issue is in the code handling symmetric keys, which are not widely used for example for desktop login so most of the deployments are not affected.
This issue require physical access to the computer running opensc and crafted USB device or smart card that would present the system with specially crafted responses to the APDUs so they are considered a high-complexity and low-severity.
This issue is in the code handling symmetric keys, which are not widely used for example for desktop login so most of the deployments are not affected.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | opensc | Not Affected | ||
| Amazon Linux 2023 | opensc | 2023-10-30 | ALAS2023-2023-417 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 3.1 | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv3 | 4.5 | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L |