gsd-2023-45232
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
Aliases
Aliases
CVE-2023-45232


To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-45232",
    "id": "GSD-2023-45232"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-45232"
      ],
      "details": " EDK2\u0027s Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\n\n",
      "id": "GSD-2023-45232",
      "modified": "2023-12-13T01:20:38.142938Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "infosec@edk2.groups.io",
        "ID": "CVE-2023-45232",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "edk2",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "edk2-stable202308"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "TianoCore"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Quarkslab Vulnerability Reports Team"
        },
        {
          "lang": "en",
          "value": "Doug Flick"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": " EDK2\u0027s Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-835",
                "lang": "eng",
                "value": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h",
            "refsource": "MISC",
            "url": "https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2024/01/16/2",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2024/01/16/2"
          },
          {
            "name": "http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20240307-0011/",
            "refsource": "MISC",
            "url": "https://security.netapp.com/advisory/ntap-20240307-0011/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/"
          }
        ]
      },
      "source": {
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:tianocore:edk2:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "3CEB3105-57CC-4096-81D3-D58005813C4B",
                    "versionEndIncluding": "202311",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": " EDK2\u0027s Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This\n vulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.\n\n"
          },
          {
            "lang": "es",
            "value": "EDK2\u0027s Network Package es susceptible a una vulnerabilidad de bucle infinito al analizar opciones desconocidas en el encabezado Destination Options de IPv6. Un atacante puede aprovechar esta vulnerabilidad para obtener acceso no autorizado y potencialmente provocar una p\u00e9rdida de disponibilidad."
          }
        ],
        "id": "CVE-2023-45232",
        "lastModified": "2024-03-13T02:15:50.347",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "infosec@edk2.groups.io",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-01-16T16:15:12.090",
        "references": [
          {
            "source": "infosec@edk2.groups.io",
            "tags": [
              "Third Party Advisory",
              "VDB Entry"
            ],
            "url": "http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html"
          },
          {
            "source": "infosec@edk2.groups.io",
            "tags": [
              "Mailing List"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/16/2"
          },
          {
            "source": "infosec@edk2.groups.io",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h"
          },
          {
            "source": "infosec@edk2.groups.io",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/"
          },
          {
            "source": "infosec@edk2.groups.io",
            "url": "https://security.netapp.com/advisory/ntap-20240307-0011/"
          }
        ],
        "sourceIdentifier": "infosec@edk2.groups.io",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-835"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-835"
              }
            ],
            "source": "infosec@edk2.groups.io",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.