CVE-2008-2235 (GCVE-0-2008-2235)

Vulnerability from cvelistv5 – Published: 2008-08-01 14:00 – Updated: 2024-08-07 08:49
VLAI?
Summary
OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://www.securityfocus.com/bid/30473 vdb-entryx_refsource_BID
http://secunia.com/advisories/31330 third-party-advisoryx_refsource_SECUNIA
http://secunia.com/advisories/34362 third-party-advisoryx_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=… vendor-advisoryx_refsource_MANDRIVA
http://www.opensc-project.org/security.html x_refsource_CONFIRM
http://secunia.com/advisories/33115 third-party-advisoryx_refsource_SECUNIA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://secunia.com/advisories/31360 third-party-advisoryx_refsource_SECUNIA
https://www.redhat.com/archives/fedora-package-an… vendor-advisoryx_refsource_FEDORA
https://www.debian.org/security/2008/dsa-1627 vendor-advisoryx_refsource_DEBIAN
http://www.opensc-project.org/pipermail/opensc-an… mailing-listx_refsource_MLIST
http://secunia.com/advisories/32099 third-party-advisoryx_refsource_SECUNIA
http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
http://security.gentoo.org/glsa/glsa-200812-09.xml vendor-advisoryx_refsource_GENTOO
https://exchange.xforce.ibmcloud.com/vulnerabilit… vdb-entryx_refsource_XF
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T08:49:58.703Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "30473",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/30473"
          },
          {
            "name": "31330",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31330"
          },
          {
            "name": "34362",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/34362"
          },
          {
            "name": "MDVSA-2008:183",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRIVA",
              "x_transferred"
            ],
            "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.opensc-project.org/security.html"
          },
          {
            "name": "33115",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/33115"
          },
          {
            "name": "SUSE-SR:2009:004",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
          },
          {
            "name": "31360",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31360"
          },
          {
            "name": "FEDORA-2009-2267",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"
          },
          {
            "name": "DSA-1627",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2008/dsa-1627"
          },
          {
            "name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"
          },
          {
            "name": "32099",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/32099"
          },
          {
            "name": "SUSE-SR:2008:019",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"
          },
          {
            "name": "GLSA-200812-09",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"
          },
          {
            "name": "opensc-smartcard-cryptotoken-weak-security(44140)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-07-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-07T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "30473",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/30473"
        },
        {
          "name": "31330",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31330"
        },
        {
          "name": "34362",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/34362"
        },
        {
          "name": "MDVSA-2008:183",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRIVA"
          ],
          "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.opensc-project.org/security.html"
        },
        {
          "name": "33115",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/33115"
        },
        {
          "name": "SUSE-SR:2009:004",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
        },
        {
          "name": "31360",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31360"
        },
        {
          "name": "FEDORA-2009-2267",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"
        },
        {
          "name": "DSA-1627",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2008/dsa-1627"
        },
        {
          "name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"
        },
        {
          "name": "32099",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/32099"
        },
        {
          "name": "SUSE-SR:2008:019",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"
        },
        {
          "name": "GLSA-200812-09",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"
        },
        {
          "name": "opensc-smartcard-cryptotoken-weak-security(44140)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-2235",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "30473",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/30473"
            },
            {
              "name": "31330",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31330"
            },
            {
              "name": "34362",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/34362"
            },
            {
              "name": "MDVSA-2008:183",
              "refsource": "MANDRIVA",
              "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:183"
            },
            {
              "name": "http://www.opensc-project.org/security.html",
              "refsource": "CONFIRM",
              "url": "http://www.opensc-project.org/security.html"
            },
            {
              "name": "33115",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/33115"
            },
            {
              "name": "SUSE-SR:2009:004",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html"
            },
            {
              "name": "31360",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31360"
            },
            {
              "name": "FEDORA-2009-2267",
              "refsource": "FEDORA",
              "url": "https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html"
            },
            {
              "name": "DSA-1627",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2008/dsa-1627"
            },
            {
              "name": "[opensc-announce] 20080731 OpenSC Security Vulnerability and new Versions of OpenSC, OpenCT, LibP11, Pam_P11, Engine_PKCS11",
              "refsource": "MLIST",
              "url": "http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html"
            },
            {
              "name": "32099",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/32099"
            },
            {
              "name": "SUSE-SR:2008:019",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html"
            },
            {
              "name": "GLSA-200812-09",
              "refsource": "GENTOO",
              "url": "http://security.gentoo.org/glsa/glsa-200812-09.xml"
            },
            {
              "name": "opensc-smartcard-cryptotoken-weak-security(44140)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44140"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-2235",
    "datePublished": "2008-08-01T14:00:00",
    "dateReserved": "2008-05-16T00:00:00",
    "dateUpdated": "2024-08-07T08:49:58.703Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:siemens:cardos:m4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FEF8B710-EAF0-4381-B1C5-B2EAA91737DE\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7D734B35-BA7F-4219-98DA-FCD55E5A37C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"349D5BCA-885C-4948-838E-E3904E49598E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"471DBF4E-54B8-4776-A0BA-0F65FE02192E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EA4321E6-1D08-489C-948F-2673C30D762C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8498096A-19A9-4C09-99C3-CC1C45D6BA40\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5028CF13-2807-4813-A542-A1CD6E735CC5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8FD4CB51-068C-4AD2-94AC-59DE20A2AB77\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2D8CA0B8-AC3B-4D0F-854D-EDF285EC01CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"931CE287-97AF-4B73-BA57-FB9B9AAA7016\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BA979A3-A34F-4813-8489-C1985E22A398\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6A64E85D-B1A7-48FB-8438-8173249ED817\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"940151B8-6466-43D7-A7EB-A28F13DA5B50\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*\", \"matchCriteriaId\": \"0BE84E1D-F765-49E6-84E2-6831A535B67A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*\", \"matchCriteriaId\": \"CE85FABD-20F0-4308-B240-0E460E85CA08\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3752BA88-CA7A-4B79-96C4-A5EC9A6C2AC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B093D7C9-242E-4CC7-9971-71D9AE19A7F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"353AFA23-88C0-45AA-B9EF-EF7A4DC6AFE3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EA2024C5-238A-4734-B8C6-D4F99EEFBC07\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DF611D89-FA24-4421-A8A8-5290629C81D1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*\", \"matchCriteriaId\": \"0ECCFF79-6515-42F8-B986-4C06BE1F79D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A74B19CB-8AFB-4A07-9A84-063BFF47E089\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.\"}, {\"lang\": \"es\", \"value\": \"OpenSC anterior a 0.11.5 usa permisos d\\u00e9biles (archivo de control de informaci\\u00f3n ADMIN de 00) para el directorio 5015 en smart cards y crypto tokens USB ejecut\\u00e1ndose Siemens CardOS M4, que permite a atacantes pr\\u00f3ximos f\\u00edsicamente cambiar el PIN.\"}]",
      "id": "CVE-2008-2235",
      "lastModified": "2024-11-21T00:46:24.570",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:N/I:C/A:N\", \"baseScore\": 4.9, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2008-08-01T14:41:00.000",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/31330\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/31360\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/32099\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/33115\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/34362\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-09.xml\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2008:183\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.opensc-project.org/security.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/30473\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/44140\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.debian.org/security/2008/dsa-1627\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/31330\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/31360\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/32099\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/33115\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/34362\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200812-09.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2008:183\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.opensc-project.org/security.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/30473\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/44140\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2008/dsa-1627\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vendorComments": "[{\"organization\": \"Siemens\", \"comment\": \"Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. \\n\\nTherefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. \\n\\nWe hope that we could help you with this recommendation. \\n\\nIf you have further questions, please contact the Siemens CardOS hotline under:\\n\\nscs-support.med@siemens.com\\n\\nPhone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)\\n\\n\", \"lastModified\": \"2008-08-14T00:00:00\"}]",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-310\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-2235\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-08-01T14:41:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.\"},{\"lang\":\"es\",\"value\":\"OpenSC anterior a 0.11.5 usa permisos d\u00e9biles (archivo de control de informaci\u00f3n ADMIN de 00) para el directorio 5015 en smart cards y crypto tokens USB ejecut\u00e1ndose Siemens CardOS M4, que permite a atacantes pr\u00f3ximos f\u00edsicamente cambiar el PIN.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:N/I:C/A:N\",\"baseScore\":4.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:siemens:cardos:m4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEF8B710-EAF0-4381-B1C5-B2EAA91737DE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D734B35-BA7F-4219-98DA-FCD55E5A37C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"349D5BCA-885C-4948-838E-E3904E49598E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"471DBF4E-54B8-4776-A0BA-0F65FE02192E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA4321E6-1D08-489C-948F-2673C30D762C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8498096A-19A9-4C09-99C3-CC1C45D6BA40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5028CF13-2807-4813-A542-A1CD6E735CC5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8FD4CB51-068C-4AD2-94AC-59DE20A2AB77\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.8.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D8CA0B8-AC3B-4D0F-854D-EDF285EC01CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"931CE287-97AF-4B73-BA57-FB9B9AAA7016\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BA979A3-A34F-4813-8489-C1985E22A398\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A64E85D-B1A7-48FB-8438-8173249ED817\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"940151B8-6466-43D7-A7EB-A28F13DA5B50\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9.7:b:*:*:*:*:*:*\",\"matchCriteriaId\":\"0BE84E1D-F765-49E6-84E2-6831A535B67A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9.7:d:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE85FABD-20F0-4308-B240-0E460E85CA08\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.9.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3752BA88-CA7A-4B79-96C4-A5EC9A6C2AC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B093D7C9-242E-4CC7-9971-71D9AE19A7F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"353AFA23-88C0-45AA-B9EF-EF7A4DC6AFE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EA2024C5-238A-4734-B8C6-D4F99EEFBC07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF611D89-FA24-4421-A8A8-5290629C81D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.3:pre3:*:*:*:*:*:*\",\"matchCriteriaId\":\"0ECCFF79-6515-42F8-B986-4C06BE1F79D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opensc-project:opensc:0.11.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A74B19CB-8AFB-4A07-9A84-063BFF47E089\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/31330\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/31360\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/32099\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/33115\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/34362\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-09.xml\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:183\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.opensc-project.org/security.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/30473\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/44140\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.debian.org/security/2008/dsa-1627\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00005.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/31330\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/31360\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/32099\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/33115\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/34362\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200812-09.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.mandriva.com/security/advisories?name=MDVSA-2008:183\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.opensc-project.org/pipermail/opensc-announce/2008-July/000020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.opensc-project.org/security.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/30473\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/44140\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2008/dsa-1627\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00686.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"vendorComments\":[{\"organization\":\"Siemens\",\"comment\":\"Siemens has analyzed this report and states that no security breach can be found in the Siemens CardOS M4 itself and it thus does not relate to any Siemens component. The reported vulnerability (caused by inappropriate personalization) is due to an issue in the OPENSC middleware detailed information can be found under http://www.opensc-project.org/security.html. \\n\\nTherefore, Siemens recommends all customers and partners using OPENSC to use either the current version 0.11.5 of OPENSC in which this vulnerability is fixed or to use the bug fix suggested under http://freshmeat.net/articles/view/3333/. \\n\\nWe hope that we could help you with this recommendation. \\n\\nIf you have further questions, please contact the Siemens CardOS hotline under:\\n\\nscs-support.med@siemens.com\\n\\nPhone: +49 89 636 35996 (Mo.-Fr. 9:00-17:00 German time)\\n\\n\",\"lastModified\":\"2008-08-14T00:00:00\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.