CVE-2013-2547 — Sensitive Information Exposure in Kernel

CWE-310 CWE-200 — Sensitive Information Exposure13 documents8 sources

Severity

2.1LOWNVD

EPSS

0.1%

top 72.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Kernel Redhat Enterprise MRG

Timeline

PublishedMar 15

Latest updateMay 13

Description

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶Debianlinux/linux_kernel< 3.2.41-1+3

▶NVDlinux/linux_kernel3.8.2+185

▶NVDredhat/enterprise_mrg2.0

🔴Vulnerability Details

GHSA

GHSA-9558-m4h2-x96x: The crypto_report_one function in crypto/crypto_user↗2022-05-13

▶

OSV

CVE-2013-2547: The crypto_report_one function in crypto/crypto_user↗2013-03-15

▶

CVEList

CVE-2013-2547: The crypto_report_one function in crypto/crypto_user↗2013-03-14

▶

📋Vendor Advisories

Red Hat

kernel: Information Disclosure in crypto_report_one in crypto/crypto_user.c↗2018-11-03

▶

Ubuntu

Linux kernel vulnerabilities↗2013-04-08

▶

Ubuntu

Linux kernel (OMAP4) vulnerabilities↗2013-04-08

▶

Ubuntu

Linux kernel (Quantal HWE) vulnerabilities↗2013-04-08

▶

Ubuntu

Linux kernel (OMAP4) vulnerabilities↗2013-04-08

▶

💬Community

Bugzilla

kernel: crypto: info leaks in report API↗2013-03-06

▶