CVE-2024-1454Use After Free in Project Opensc

CWE-416Use After Free7 documents7 sources
Severity
3.4LOWNVD
EPSS
0.1%
top 76.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Opensc Project OpenscFedoraproject FedoraRedhat Enterprise Linux
Timeline
PublishedFeb 12
Latest updateFeb 13

Description

The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker must have physical access to the computer system and requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can allow for compromised card management operatio

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 0.4 | Impact: 2.7

Affected Packages2 packages

NVDopensc_project/opensc< 0.25.0
Debianopensc_project/opensc< 0.21.0-1+deb11u1+3

Also affects: Fedora 38, 39, 40, Enterprise Linux 7.0, 8.0, 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-6q4q-mhg5-v6xh: The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a2024-02-13
CVEList
Opensc: memory use after free in authentic driver when updating token info2024-02-12
OSV
CVE-2024-1454: The use-after-free vulnerability was found in the AuthentIC driver in OpenSC packages, occuring in the card enrolment process using pkcs15-init when a2024-02-12

📋Vendor Advisories

3
Microsoft
Opensc: memory use after free in authentic driver when updating token info2024-02-13
Red Hat
opensc: Memory use after free in AuthentIC driver when updating token info2024-02-12
Debian
CVE-2024-1454: opensc - The use-after-free vulnerability was found in the AuthentIC driver in OpenSC pac...2024
CVE-2024-1454 — Use After Free in Opensc Project Opensc | cvebase