Buffer Overrun Vulnerability in OpenSC's PKCS15 Function
CVE-2023-2977

7.1HIGH

Key Information:

Vendor: Opensc Project
Status: Opensc
Vendor: CVE Published:; 1 June 2023

🔔 Create Opensc Project Vulnerability Alert

What is CVE-2023-2977?

A vulnerability exists in OpenSC that allows an attacker to exploit a buffer overrun in the pkcs15 cardos_have_verifyrc_package function. This occurs when a malformed ASN.1 context is supplied within a smart card package. Due to incorrect length calculations from a shifted starting pointer, this flaw may lead to a potential heap-based out-of-bounds read. If AddressSanitizer (ASAN) is engaged during compilation, it may result in application crashes, while further information leakage or additional exploitation could extend the risks.

Affected Version(s)

OpenSC opensc-0.23.0

References

https://access.redhat.com/security/cve/CVE-2023-2977

https://bugzilla.redhat.com/show_bug.cgi?id=2211088

https://github.com/OpenSC/OpenSC/issues/2785

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2023
Vulnerability Reserved
May 30, 2023

CVE-2023-2977 Data

JSON