CVE-2023-2977
- ULN >
- Oracle Linux CVE repository >
- CVE-2023-2977
CVE Details
| Release Date: | 2023-05-30 |
Description
A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.
See more information about CVE-2023-2977 from MITRE CVE dictionary and NIST NVD
CVSS v3.0 metrics
NOTE: The following CVSS v3.0 metrics and score provided are preliminary and subject to review.
| Base Score: | 6.3 | Base Metrics: | AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H |
| Access Vector: | Local network | Attack Complexity: | High |
| Privileges Required: | Low | User Interaction: | None |
| Scope: | Unchanged | Confidentiality Impact: | High |
| Integrity Impact: | None | Availability Impact: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 8 (opensc) | ELSA-2023-7160 | 2023-11-17 |
| Oracle Linux version 9 (opensc) | ELSA-2023-6587 | 2023-11-11 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team
