Skip to content

Latest commit

 

History

History
18 lines (13 loc) · 1.48 KB

CVE-2024-8443.md

File metadata and controls

18 lines (13 loc) · 1.48 KB

CVE-2024-8443: Heap buffer overflow in OpenPGP driver when generating key

This advisory summarizes automatically reported security-relevant issues reported since the release of OpenSC 0.25.1.

The Heap Buffer Overflow vulnerability was identified within the OpenPGP driver during the card enrollment process using the pkcs15-init tool to generate RSA or ECDSA key when a user or administrator enrolls or modifies cards, but it can also be encountered when using the driver for key generation (for example via openpgp-tool). The attack requires a crafted USB device or smart card to present the system with specially crafted responses to the APDUs, which are considered high complexity and low severity. This manipulation can potentially compromise card management operations during enrollment and modification of the keys on the card.

Originally reported by OSS-fuzz automated service.

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (3.4)