CVE-2024-45616Use of Uninitialized Variable in Project Opensc

CWE-457Use of Uninitialized VariableCWE-908Use of Uninitialized Resource8 documents7 sources
Severity
3.9LOWNVD
EPSS
0.1%
top 74.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Opensc Project OpenscRedhat Enterprise Linux
Timeline
PublishedSep 3
Latest updateApr 9

Description

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 0.5 | Impact: 3.4

Affected Packages2 packages

NVDopensc_project/opensc< 0.26.0
Debianopensc_project/opensc< 0.21.0-1+deb11u1+3

Also affects: Enterprise Linux 7.0, 8.0, 9.0

🔴Vulnerability Details

3
GHSA
GHSA-2mjg-798r-mxwh: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK2024-09-04
CVEList
Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc2024-09-03
OSV
CVE-2024-45616: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK2024-09-03

📋Vendor Advisories

4
Ubuntu
OpenSC vulnerabilities2025-04-09
Ubuntu
OpenSC vulnerabilities2025-03-12
Red Hat
libopensc: Uninitialized values after incorrect check or usage of APDU response values in libopensc2024-09-02
Debian
CVE-2024-45616: opensc - A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, a...2024
CVE-2024-45616 — Use of Uninitialized Variable | cvebase