CVE-2023-45230 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Edk2

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-787 — Out-of-bounds Write9 documents8 sources

Severity

8.8HIGHNVD

CNA8.3OSV7.8

EPSS

0.3%

top 46.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tianocore Edk2

Timeline

PublishedJan 16

Latest updateFeb 15

Description

EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Debiantianocore/edk2< 2020.11-2+deb11u3+3

▶Ubuntutianocore/edk2< 0~20191122.bd85bf54-2ubuntu3.5+1

▶NVDtianocore/edk2202311

▶CVEListV5tianocore/edk2edk2-stable202308

🔴Vulnerability Details

OSV

edk2 vulnerabilities↗2024-02-15

▶

OSV

CVE-2023-45230: EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client↗2024-01-16

▶

CVEList

Buffer Overflow in EDK II Network Package↗2024-01-16

▶

GHSA

GHSA-fc9w-pqjw-8r96: EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client↗2024-01-16

▶

📋Vendor Advisories

Ubuntu

EDK II vulnerabilities↗2024-02-15

▶

Red Hat

edk2: Buffer overflow in the DHCPv6 client via a long Server ID option↗2024-01-16

▶

Microsoft

Buffer Overflow in EDK II Network Package↗2024-01-09

▶

Debian

CVE-2023-45230: edk2 - EDK2's Network Package is susceptible to a buffer overflow vulnerability via a l...↗2023

▶