Vulnerability-Lookup

CVE-2022-4087 (GCVE-0-2022-4087)

Vulnerability from cvelistv5 – Published: 2022-11-21 00:00 – Updated: 2025-04-15 13:12

Title

iPXE TLS tls.c tls_new_ciphertext information exposure

Summary

A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.

Severity ?

2.6 (Low)


                        
                          CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-284 - Improper Access Controls -> CWE-200 Information Disclosure -> CWE-203 Information Exposure Through Discrepancy

Assigner

VulDB

References

URL

Tags

	https://github.com/ipxe/ipxe/commit/186306d619909…
	https://vuldb.com/?id.214054

Impacted products

	Vendor	Product	Version
	unspecified	iPXE	Affected: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:27:54.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.214054"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-4087",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-14T17:05:02.716531Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:12:13.009Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iPXE",
          "vendor": "unspecified",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Controls -\u003e CWE-200 Information Disclosure -\u003e CWE-203 Information Exposure Through Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-21T00:00:00.000Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
        },
        {
          "url": "https://vuldb.com/?id.214054"
        }
      ],
      "title": "iPXE TLS tls.c tls_new_ciphertext information exposure",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-4087",
    "datePublished": "2022-11-21T00:00:00.000Z",
    "dateReserved": "2022-11-20T00:00:00.000Z",
    "dateUpdated": "2025-04-15T13:12:13.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ipxe:ipxe:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2022-11-08\", \"matchCriteriaId\": \"F3AF5B8D-B282-4683-96B5-FBBFBB7F1DEB\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una vulnerabilidad en iPXE. Ha sido declarado problem\\u00e1tico. Esta vulnerabilidad afecta a la funci\\u00f3n tls_new_ciphertext del archivo src/net/tls.c del componente TLS. La manipulaci\\u00f3n del argumento pad_len conduce a la exposici\\u00f3n de la informaci\\u00f3n a trav\\u00e9s de discrepancia. El nombre del parche es 186306d6199096b7a7c4b4574d4be8cdb8426729. Se recomienda aplicar un parche para solucionar este problema. VDB-214054 es el identificador asignado a esta vulnerabilidad.\"}]",
      "id": "CVE-2022-4087",
      "lastModified": "2024-11-21T07:34:33.490",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"cna@vuldb.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 2.6, \"baseSeverity\": \"LOW\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2022-11-21T07:15:08.957",
      "references": "[{\"url\": \"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\", \"source\": \"cna@vuldb.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://vuldb.com/?id.214054\", \"source\": \"cna@vuldb.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://vuldb.com/?id.214054\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "cna@vuldb.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"cna@vuldb.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-4087\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2022-11-21T07:15:08.957\",\"lastModified\":\"2024-11-21T07:34:33.490\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en iPXE. Ha sido declarado problem\u00e1tico. Esta vulnerabilidad afecta a la funci\u00f3n tls_new_ciphertext del archivo src/net/tls.c del componente TLS. La manipulaci\u00f3n del argumento pad_len conduce a la exposici\u00f3n de la informaci\u00f3n a trav\u00e9s de discrepancia. El nombre del parche es 186306d6199096b7a7c4b4574d4be8cdb8426729. Se recomienda aplicar un parche para solucionar este problema. VDB-214054 es el identificador asignado a esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.6,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ipxe:ipxe:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2022-11-08\",\"matchCriteriaId\":\"F3AF5B8D-B282-4683-96B5-FBBFBB7F1DEB\"}]}]}],\"references\":[{\"url\":\"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://vuldb.com/?id.214054\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://vuldb.com/?id.214054\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"iPXE TLS tls.c tls_new_ciphertext information exposure\", \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2022-11-21T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.\"}], \"affected\": [{\"vendor\": \"unspecified\", \"product\": \"iPXE\", \"versions\": [{\"version\": \"n/a\", \"status\": \"affected\"}]}], \"references\": [{\"url\": \"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\"}, {\"url\": \"https://vuldb.com/?id.214054\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"attackVector\": \"ADJACENT_NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\", \"baseScore\": 2.6, \"baseSeverity\": \"LOW\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-284 Improper Access Controls -\u003e CWE-200 Information Disclosure -\u003e CWE-203 Information Exposure Through Discrepancy\", \"cweId\": \"CWE-284\"}]}], \"x_generator\": \"vuldb.com\"}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T01:27:54.389Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://vuldb.com/?id.214054\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-4087\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-14T17:05:02.716531Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-14T17:05:05.996Z\"}}]}",
      "cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2022-4087\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"assignerShortName\": \"VulDB\", \"dateUpdated\": \"2025-04-15T13:12:13.009Z\", \"dateReserved\": \"2022-11-20T00:00:00.000Z\", \"datePublished\": \"2022-11-21T00:00:00.000Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CNVD-2022-87019

Vulnerability from cnvd - Published: 2022-12-08

Title

iPXE信息泄露漏洞

Description

iPXE是iPXE开源的一种网络引导程序。 iPXE iPXE 2022.11.08之前版本存在信息泄露漏洞，该漏洞会影响组件TLS src/net/tls.c 文件中的tls_new_ciphertext功能，攻击者可利用漏洞获取敏感信息。

Severity

中

Patch Name

iPXE信息泄露漏洞的补丁

Patch Description

iPXE是iPXE开源的一种网络引导程序。 iPXE iPXE 2022.11.08之前版本存在信息泄露漏洞，该漏洞会影响组件TLS src/net/tls.c 文件中的tls_new_ciphertext功能，攻击者可利用漏洞获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/ipxe/ipxe/

Reference

https://vuldb.com/?id.214054

Impacted products

Name
iPXE iPXE <2022.11.08

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-4087",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-4087"
    }
  },
  "description": "iPXE\u662fiPXE\u5f00\u6e90\u7684\u4e00\u79cd\u7f51\u7edc\u5f15\u5bfc\u7a0b\u5e8f\u3002\n\niPXE iPXE 2022.11.08\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u4f1a\u5f71\u54cd\u7ec4\u4ef6TLS src/net/tls.c \u6587\u4ef6\u4e2d\u7684tls_new_ciphertext\u529f\u80fd\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/ipxe/ipxe/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-87019",
  "openTime": "2022-12-08",
  "patchDescription": "iPXE\u662fiPXE\u5f00\u6e90\u7684\u4e00\u79cd\u7f51\u7edc\u5f15\u5bfc\u7a0b\u5e8f\u3002\r\n\r\niPXE iPXE 2022.11.08\u4e4b\u524d\u7248\u672c\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u4f1a\u5f71\u54cd\u7ec4\u4ef6TLS src/net/tls.c \u6587\u4ef6\u4e2d\u7684tls_new_ciphertext\u529f\u80fd\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "iPXE\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "iPXE iPXE \u003c2022.11.08"
  },
  "referenceLink": "https://vuldb.com/?id.214054",
  "serverity": "\u4e2d",
  "submitTime": "2022-11-23",
  "title": "iPXE\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

FKIE_CVE-2022-4087

Vulnerability from fkie_nvd - Published: 2022-11-21 07:15 - Updated: 2024-11-21 07:34

Severity ?

2.6 (Low) - CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
cna@vuldb.com	https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729	Patch, Third Party Advisory
cna@vuldb.com	https://vuldb.com/?id.214054	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://vuldb.com/?id.214054	Third Party Advisory

Impacted products

	Vendor	Product	Version
	ipxe	ipxe	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ipxe:ipxe:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3AF5B8D-B282-4683-96B5-FBBFBB7F1DEB",
              "versionEndExcluding": "2022-11-08",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una vulnerabilidad en iPXE. Ha sido declarado problem\u00e1tico. Esta vulnerabilidad afecta a la funci\u00f3n tls_new_ciphertext del archivo src/net/tls.c del componente TLS. La manipulaci\u00f3n del argumento pad_len conduce a la exposici\u00f3n de la informaci\u00f3n a trav\u00e9s de discrepancia. El nombre del parche es 186306d6199096b7a7c4b4574d4be8cdb8426729. Se recomienda aplicar un parche para solucionar este problema. VDB-214054 es el identificador asignado a esta vulnerabilidad."
    }
  ],
  "id": "CVE-2022-4087",
  "lastModified": "2024-11-21T07:34:33.490",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 1.4,
        "source": "cna@vuldb.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-21T07:15:08.957",
  "references": [
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
    },
    {
      "source": "cna@vuldb.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vuldb.com/?id.214054"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://vuldb.com/?id.214054"
    }
  ],
  "sourceIdentifier": "cna@vuldb.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "cna@vuldb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-4087

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-4087

Aliases

CVE-2022-4087

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-4087",
    "description": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.",
    "id": "GSD-2022-4087"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-4087"
      ],
      "details": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.",
      "id": "GSD-2022-4087",
      "modified": "2023-12-13T01:19:15.437936Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@vuldb.com",
        "ID": "CVE-2022-4087",
        "REQUESTER": "cna@vuldb.com",
        "STATE": "PUBLIC",
        "TITLE": "iPXE TLS tls.c tls_new_ciphertext information exposure"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "iPXE",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": ""
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability."
          }
        ]
      },
      "generator": "vuldb.com",
      "impact": {
        "cvss": {
          "baseScore": "2.6",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-284 Improper Access Controls -\u003e CWE-200 Information Disclosure -\u003e CWE-203 Information Exposure Through Discrepancy"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729",
            "refsource": "MISC",
            "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
          },
          {
            "name": "https://vuldb.com/?id.214054",
            "refsource": "MISC",
            "url": "https://vuldb.com/?id.214054"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:ipxe:ipxe:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2022-11-08",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cna@vuldb.com",
          "ID": "CVE-2022-4087"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-203"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://vuldb.com/?id.214054",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://vuldb.com/?id.214054"
            },
            {
              "name": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-07-10T18:48Z",
      "publishedDate": "2022-11-21T07:15Z"
    }
  }
}

MSRC_CVE-2022-4087

Vulnerability from csaf_microsoft - Published: 2022-11-02 00:00 - Updated: 2025-09-03 22:55

Summary

iPXE TLS tls.c tls_new_ciphertext information exposure

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2022-4087 iPXE TLS tls.c tls_new_ciphertext information exposure - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-4087.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "iPXE TLS tls.c tls_new_ciphertext information exposure",
    "tracking": {
      "current_release_date": "2025-09-03T22:55:05.000Z",
      "generator": {
        "date": "2025-10-20T00:04:34.226Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2022-4087",
      "initial_release_date": "2022-11-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-03T22:55:05.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 ipxe 1.21.1-1",
                "product": {
                  "name": "azl3 ipxe 1.21.1-1",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "ipxe"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 ipxe 1.21.1-1 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-4087",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "general",
          "text": "VulDB",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-4087 iPXE TLS tls.c tls_new_ciphertext information exposure - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2022/msrc_cve-2022-4087.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 2.6,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "17084-1"
          ]
        }
      ],
      "title": "iPXE TLS tls.c tls_new_ciphertext information exposure"
    }
  ]
}

GHSA-CJ89-CWCX-M929

Vulnerability from github – Published: 2022-11-21 09:30 – Updated: 2022-11-30 15:30

Details

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-4087"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-203"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in iPXE. It has been declared as problematic. This vulnerability affects the function tls_new_ciphertext of the file src/net/tls.c of the component TLS. The manipulation of the argument pad_len leads to information exposure through discrepancy. The name of the patch is 186306d6199096b7a7c4b4574d4be8cdb8426729. It is recommended to apply a patch to fix this issue. VDB-214054 is the identifier assigned to this vulnerability.",
  "id": "GHSA-cj89-cwcx-m929",
  "modified": "2022-11-30T15:30:26Z",
  "published": "2022-11-21T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4087"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.214054"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-4087 (GCVE-0-2022-4087)

CNVD-2022-87019

FKIE_CVE-2022-4087

GSD-2022-4087

MSRC_CVE-2022-4087

GHSA-CJ89-CWCX-M929

Tags

Sightings

Nomenclature