Fedora 39 update for opensc
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-5992 CVE-2024-1454 |
| CWE-ID | CWE-310 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system opensc Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Cryptographic issues
EUVDB-ID: #VU86937
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-5992
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the PKCS#1 encryption padding removal is not implemented as side-channel resistant. A remote attacker can gain access to sensitive data.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 39
opensc: before 0.25.0-1.fc39
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2024-6460a03e29
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU86939
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-1454
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows an attacker to bypass authentication.
The vulnerability exists due to a use-after-free error in the AuthentIC driver in the card enrolment process using pkcs15-init when a user or administrator enrols or modifies cards. An attacker with physical access to the system can use a crafted USB device or smart card to present the system with specially crafted responses to the APDUs to card management operations during enrollment.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 39
opensc: before 0.25.0-1.fc39
CPE2.3 External linkshttps://bodhi.fedoraproject.org/updates/FEDORA-2024-6460a03e29
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
