CVE-2023-20521

CWE-3673 documents3 sources
Severity
5.7MEDIUM
EPSS
0.0%
top 88.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
103
AMD AMD 3015ce FirmwareAMD AMD 3015e FirmwareAMD Epyc 7001 Firmware+100 more
Timeline
PublishedNov 14

Description

TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially leading to loss of confidentiality or a denial of service.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:LExploitability: 0.3 | Impact: 2.7

Affected Packages103 packages

NVDamd/amd_3015e_firmware< pollockpi-ft5_1.0.0.4
NVDamd/epyc_7001_firmware< naplespi_1.0.0.h
NVDamd/epyc_7203_firmware< milanpi_1.0.0.7
NVDamd/epyc_7251_firmware< naplespi_1.0.0.h
NVDamd/epyc_7252_firmware< romepi_1.0.0.d

🔴Vulnerability Details

2
GHSA
GHSA-7r55-mp9r-c8pj: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially2023-11-14
CVEList
CVE-2023-20521: TOCTOU in the ASP Bootloader may allow an attacker with physical access to tamper with SPI ROM records after memory content verification, potentially2023-11-14
CVE-2023-20521 (MEDIUM CVSS 5.7) | TOCTOU in the ASP Bootloader may al | cvebase.io