CVE-2023-45235Improper Restriction of Operations within the Bounds of a Memory Buffer in Edk2

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents8 sources
Severity
8.8HIGHNVD
CNA8.3OSV7.8
EPSS
0.4%
top 39.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tianocore Edk2
Timeline
PublishedJan 16
Latest updateFeb 15

Description

EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

Debiantianocore/edk2< 2020.11-2+deb11u3+3
Ubuntutianocore/edk2< 0~20191122.bd85bf54-2ubuntu3.5+1
NVDtianocore/edk2202311
CVEListV5tianocore/edk2edk2-stable202308

🔴Vulnerability Details

4
OSV
edk2 vulnerabilities2024-02-15
CVEList
Buffer Overflow in EDK II Network Package2024-01-16
OSV
CVE-2023-45235: EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message2024-01-16
GHSA
GHSA-h9v6-q439-p7j2: EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message2024-01-16

📋Vendor Advisories

4
Ubuntu
EDK II vulnerabilities2024-02-15
Red Hat
edk2: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message2024-01-16
Microsoft
Buffer Overflow in EDK II Network Package2024-01-09
Debian
CVE-2023-45235: edk2 - EDK2's Network Package is susceptible to a buffer overflow vulnerability when ...2023
CVE-2023-45235 — Tianocore Edk2 vulnerability | cvebase