CVE-2020-10648 — Improper Input Validation in U-boot

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 68.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Denx U-boot Debian U-boot Opensuse Leap

Timeline

PublishedMar 19

Latest updateMay 24

Description

Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions and subsequently boot arbitrary images by providing a crafted FIT image to a system configured to boot the default configuration.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDdenx/u-boot< 2018.03+1

▶debiandebian/u-boot< u-boot 2020.04+dfsg-1 (bookworm)

▶Debiandenx/u-boot< 2020.04+dfsg-1+3

▶NVDopensuse/leap15.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qxmg-j2wh-fmfw: Das U-Boot through 2020↗2022-05-24

▶

OSV

CVE-2020-10648: Das U-Boot through 2020↗2020-03-19

▶

📋Vendor Advisories

Debian

CVE-2020-10648: u-boot - Das U-Boot through 2020.01 allows attackers to bypass verified boot restrictions...↗2020

▶