CVE-2023-48733

CWE-1188CWE-4897 documents7 sources
Severity
6.7MEDIUM
EPSS
0.0%
top 96.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Canonical Ltd. Ubuntu EDK IIUbuntu Edk2Tianocore Edk2+2 more
Timeline
PublishedFeb 14
Latest updateNov 26

Description

An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages5 packages

CVEListV5ubuntu/edk22024.052024.05-2ubuntu0.3+1
Debianedk2< 2020.11-2+deb11u2+3
NVDtianocore/edk22023.11-8
CVEListV5canonical_ltd./ubuntu_edk_ii< 2023.05-2ubuntu0.1
NVDcanonical/lxd5.0, 5.21+1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

3
GHSA
GHSA-cjc8-gmgf-qv2g: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK22024-02-15
OSV
CVE-2023-48733: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK22024-02-14
CVEList
CVE-2023-48733: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK22024-02-14

📋Vendor Advisories

3
Red Hat
edk2: edk2: UEFI Shell access in Secure Boot environments allows bypass of Secure Boot constraints2025-11-26
Ubuntu
EDK II vulnerabilities2024-02-15
Debian
CVE-2023-48733: edk2 - An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK...2023
CVE-2023-48733 (MEDIUM CVSS 6.7) | An insecure default to allow UEFI S | cvebase.io