CVE-2023-45234Improper Restriction of Operations within the Bounds of a Memory Buffer in Edk2

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents8 sources
Severity
8.8HIGHNVD
CNA8.3OSV7.8
EPSS
0.3%
top 46.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tianocore Edk2
Timeline
PublishedJan 16
Latest updateFeb 15

Description

EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

Debiantianocore/edk2< 2020.11-2+deb11u3+3
Ubuntutianocore/edk2< 0~20191122.bd85bf54-2ubuntu3.5+1
NVDtianocore/edk2202311
CVEListV5tianocore/edk2edk2-stable202308

🔴Vulnerability Details

4
OSV
edk2 vulnerabilities2024-02-15
OSV
CVE-2023-45234: EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message2024-01-16
CVEList
Buffer Overflow in EDK II Network Package2024-01-16
GHSA
GHSA-mrjv-p9q7-rxgr: EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message2024-01-16

📋Vendor Advisories

4
Ubuntu
EDK II vulnerabilities2024-02-15
Red Hat
edk2: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message2024-01-16
Microsoft
Buffer Overflow in EDK II Network Package2024-01-09
Debian
CVE-2023-45234: edk2 - EDK2's Network Package is susceptible to a buffer overflow vulnerability when pr...2023
CVE-2023-45234 — Tianocore Edk2 vulnerability | cvebase