CVE-2008-2235 — Code Injection in Opensc

CWE-310 CWE-94 — Code Injection CWE-96 — Static Code Injection9 documents8 sources

Severity

4.9MEDIUMNVD

GHSA9.0

EPSS

0.1%

top 79.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensc Project Opensc Opensc-project Opensc

Timeline

PublishedAug 1

Latest updateMay 17

Description

OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00) for the 5015 directory on smart cards and USB crypto tokens running Siemens CardOS M4, which allows physically proximate attackers to change the PIN.

CVSS vector

AV:L/AC:L/C:N/I:C/A:NExploitability: 3.9 | Impact: 6.9

Affected Packages2 packages

▶Debianopensc_project/opensc< 0.11.4-4+3

▶NVDopensc-project/opensc18 versions+17

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

Cobbler is vulnerable to code injection↗2022-05-17

▶

GHSA

GHSA-8cph-r8x9-fxx9: OpenSC before 0↗2022-05-01

▶

CVEList

CVE-2008-2235: OpenSC before 0↗2008-08-01

▶

OSV

CVE-2008-2235: OpenSC before 0↗2008-08-01

▶

📋Vendor Advisories

Red Hat

(cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file↗2010-10-18

▶

Red Hat

opensc: incorrect initialization of Siemens CardOS M4 smart cards↗2008-07-31

▶

Debian

CVE-2008-2235: opensc - OpenSC before 0.11.5 uses weak permissions (ADMIN file control information of 00...↗2008

▶

💬Community

Bugzilla

CVE-2008-2235, CVE-2008-3972 opensc: incorrect initialization of Siemens CardOS M4 smart cards↗2008-07-31

▶