CVE-2023-48733
published 2024-02-14CVE-2023-48733: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | lxd | — | — |
| canonical | lxd | — | — |
| debian | debian_linux | — | — |
| debian | edk2 | < edk2 2022.11-6+deb12u1 (bookworm) | edk2 2022.11-6+deb12u1 (bookworm) |
| tianocore | edk2 | <= 2023.11-8 | — |
| tianocore | edk2 | — | — |
| tianocore | edk2 | — | — |
| tianocore | edk2 | >= 0 < 2020.11-2+deb11u2 | 2020.11-2+deb11u2 |
| tianocore | edk2 | >= 0 < 2022.11-6+deb12u1 | 2022.11-6+deb12u1 |
| tianocore | edk2 | >= 0 < 2023.11-7 | 2023.11-7 |
| tianocore | edk2 | >= 0 < 2023.11-7 | 2023.11-7 |
| tianocore | edk2 | >= 0 < 0~20191122.bd85bf54-2ubuntu3.5 | 0~20191122.bd85bf54-2ubuntu3.5 |
| tianocore | edk2 | >= 0 < 2022.02-3ubuntu0.22.04.2 | 2022.02-3ubuntu0.22.04.2 |
| ubuntu | edk2 | >= 2024.02 < 2024.02-2ubuntu0.3 | 2024.02-2ubuntu0.3 |
| ubuntu | edk2 | >= 2024.05 < 2024.05-2ubuntu0.3 | 2024.05-2ubuntu0.3 |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.03.7LOWCVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.8HIGH