CVE-2024-1454
Public on 2024-02-12
Modified on 2024-04-02
Description
The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operations during enrolment.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | opensc | Not Affected | ||
| Amazon Linux 2023 | opensc | 2024-03-27 | ALAS2023-2024-580 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 2.9 | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
| NVD | CVSSv3 | 3.4 | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |