-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# [CVE-2024-45615](https://nvd.nist.gov/vuln/detail/CVE-2024-45615): Usage of uninitialized values in libopensc and pkcs15init | ||
|
||
The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. One is only relevant to handling the card enrollment using the pkcs15-init tool. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
The problem is missing initialization of variables expected to be initialized (as arguments to other functions, etc.). | ||
The uninitialized variables were reflected in the following functions: | ||
|
||
- [cac_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L423) | ||
- calling function for reading files with uninitialized values for buffer and length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L389) | ||
Check failure on line 10 in CVE-2024-45615.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt | ||
- [piv_get_challenge](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4460) | ||
- uninitialized value later used in piv_get_challenge, since variables are not initialized by sc_asn1_read_tag (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-piv.c#L4459) | ||
Check failure on line 13 in CVE-2024-45615.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs11 | ||
- [sc_asn1_decode_object_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L838) | ||
- uninitialized values come from sc_pkcs15_get_name_from_dn function (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-cert.c#L172) | ||
Check failure on line 16 in CVE-2024-45615.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs11 | ||
- [sc_pkcs15emu_sc_hsm_decode_cvc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L421) | ||
- uninitialized values not filled by sc_asn1_read_tag function (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-sc-hsm.c#L389) | ||
Check failure on line 19 in CVE-2024-45615.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs15_crypt | ||
- do_init_app, [sc_pkcs15init_create_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L1140) | ||
- uninitialized value comes from do_pin_flags (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/profile.c#L1812) | ||
Check failure on line 22 in CVE-2024-45615.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs15init | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# [CVE-2024-45616](https://nvd.nist.gov/vuln/detail/CVE-2024-45616): Uninitialized values after incorrect check or usage of APDU response values in libopensc | ||
|
||
The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. | ||
The uninitialized variables were reflected in these functions: | ||
|
||
- [cardos_match_card](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L136) | ||
- uninitialized APDU response buffer, unchecked response length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L136) | ||
Check failure on line 10 in CVE-2024-45616.md GitHub Actions / Check for Markdown errors
|
||
- uninitialized value used later by cardos_match_card | ||
- found via fuzz_card, fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode | ||
- _itoa_word, called from [sc_hex_dump](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/log.c#L367) | ||
- the problem arose from cac_cac1_get_certificate function with wrong calculation of certificate length based on the APDU rseponse length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac1.c#L95-L100) | ||
Check failure on line 14 in CVE-2024-45616.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_card, fuzz_pkcs15_crypt, fuzz_pkcs15_decode | ||
- sc_bin_to_hex | ||
- the problem arose from auth_select_aid function unchecked SW1 and SW2 after querying for serial number (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163) | ||
Check failure on line 17 in CVE-2024-45616.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs11, fuzz_pkcs15_encode | ||
- strcmp, called from sc_asn1_read_tag | ||
- the problem arose from gids_get_DO function with uncorrect setting of buffer length, when buffer filled with APDU response (https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/card-gids.c#L249-L253) | ||
Check failure on line 20 in CVE-2024-45616.md GitHub Actions / Check for spelling errors
Check failure on line 20 in CVE-2024-45616.md GitHub Actions / Check for Markdown errors
|
||
- found via fuzz_pkcs15_decode, | ||
- [asn1_decode](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1740) | ||
- do_select not checking APDU response length before accesssing APDu response buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590) | ||
- found via fuzz_pkcs11, fuzz_pkcs15_decode | ||
- [process_fcp](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L508) | ||
- do_select not checking APDU response length before accesssing APDu response buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-mcrd.c#L590) | ||
- fuzz_pkcs15_crypt | ||
- [dnie_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L2024) | ||
- dnie_compose_and_send_apdu lacks checking for APDU reponse length before accessing response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180) | ||
- found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode | ||
- [iso7816_process_fci](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iso7816.c#L463) | ||
- dnie_compose_and_send_apdu lacks checking for APDU reponse length before accessing response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-dnie.c#L1180) | ||
- found via fuzz_pkcs15_encode | ||
- [sc_pkcs15init_parse_info](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L4564), [msc_extract_rsa_public_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L620) | ||
- incorrect return of APDU reponse data length in msc_partial_read_object (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/muscle.c#L96) | ||
- uninitialized part of buffer after actual length accessed by sc_pkcs15init_parse_info | ||
- found via fuzz_pkcs11, fuzz_pkcs15init | ||
- [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155) | ||
- unchecked APDU response length when querying for serial number in auth_select_aid (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-oberthur.c#L163) | ||
- found via fuzz_pkcs15_crypt, fuzz_pkcs15init, fuzz_pkcs15_decode | ||
- [gids_read_masterfile](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L368) | ||
- the problem arose from gids_get_DO function with uncorrect setting of buffer length, when buffer filled with APDU response (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-gids.c#L249-L253) | ||
- [sc_bin_to_hex](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L155) | ||
- unchecked value of APDU response length in function entersafe_get_serialnr (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-entersafe.c#L1424) | ||
- found via fuzz_pkcs15_reader | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# [CVE-2024-45617](https://nvd.nist.gov/vuln/detail/CVE-2024-45617): Uninitialized values after incorrect or missing checking return values of functions in libopensc | ||
|
||
The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. | ||
The uninitialized variables were reflected in the following functions: | ||
|
||
- bcdmp, called from [cac_list_compare_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac-common.c#L73) | ||
- in function cac_parse_aid, code accesses path buffer by cac_list_compare_path, when function for selecting file fails (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cac.c#L1296) | ||
- found via fuzz_pkcs11, fuzz_pkcs15_decode | ||
- [cardos_lifecycle_get](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L1288) | ||
- incorrect check for error status leading into not propagating the error and usage of uninitialized value (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-cardos.c#L1284) | ||
- found via fuzz_pkcs11 | ||
- [sc_pkcs15_read_file](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15.c#L2535) | ||
- incorrect checking of return value in jpki_select_file (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-jpki.c#L196) | ||
- found via fuzz_pkcs15_encode | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
# [CVE-2024-45618](https://nvd.nist.gov/vuln/detail/CVE-2024-45618): Uninitialized values after incorrect or missing checking return values of functions in pkcs15init | ||
|
||
The reported issues are part of the card enrollment process using the pkcs15-init tool. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized. | ||
The uninitialized variables were reflected in the following functions: | ||
|
||
- strlen, called from [set_string](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sc.c#L252) | ||
- no checking of return value in sc_pkcs15emu_tcos_init_ex (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L536) | ||
- [sc_build_pin](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/sec.c#L281) | ||
- missing error handling in sc_pkcs15init_verify_secret (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L3831-L3841) | ||
- found via fuzz_pkcs15init | ||
- DES_set_key_unchecked, called from [openssl_enc](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-epass2003.c#L295) | ||
- missing error handling in sc_pkcs15init_verify_secret (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-lib.c#L3831-L3841) | ||
- found via fuzz_pkcs15init | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# [CVE-2024-45619](https://nvd.nist.gov/vuln/detail/CVE-2024-45619): Incorrect handling length of buffers or files in libopensc | ||
|
||
The reported issues are part of the libopensc library, which makes them accessible from OpenSC tools, PKCS#11 module, minidriver, or CTK. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
When buffers are partially filled with data, uninitialized parts of the buffer can be incorrectly accessed. | ||
The uninitialized variables were reflected in the following functions: | ||
|
||
- [insert_cert](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L70) | ||
- missing check for empty read file (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L65) | ||
- found via fuzz_pkcs11, fuzz_pkcs15_crypt, fuzz_pkcs15_decode, fuzz_pkcs15_encode | ||
- [asn1_encode_path](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/asn1.c#L1219) | ||
- function insert_cert accessing buffer after filled length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-tcos.c#L70-L77) | ||
- found via fuzz_pkcs15_encode | ||
- [gemsafe_get_cert_len](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-gemsafeV1.c#L252) | ||
- accessing uninit(https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L763), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331) | ||
- missing checks for accessing data buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L764 and https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L322) | ||
- found via fuzz_pkcs15init | ||
- [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511) | ||
- missing check for data length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L507) | ||
- found via fuzz_pkcs15init | ||
- [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144) | ||
- incorrect checking of file list length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L143) | ||
- found via fuzz_pkcs15initialized part of buffer without checking actual buffer length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/pkcs15-gemsafeV1.c#L180) | ||
- found via fuzz_pkcs15_crypt, fuzz_pkcs15_decode | ||
- [coolkey_rsa_op](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-coolkey.c#L1771) | ||
- missing check for length of buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/card-coolkey.c#L1770) | ||
- found via fuzz_pkcs15_reader | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# [CVE-2024-45620](https://nvd.nist.gov/vuln/detail/CVE-2024-45620): Incorrect handling length of buffers or files in pkcs15init | ||
|
||
The reported issues are part of the card enrollment process using the pkcs15-init tool. | ||
The attack requires a crafted USB device or smart card that would present the system with specially crafted responses to the APDUs, so they are considered high complexity and low severity. | ||
|
||
When buffers are partially filled with data, uninitialized parts of the buffer can be incorrectly accessed. | ||
The uninitialized variables were reflected in the following functions: | ||
|
||
- [starcos_write_pukey](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-starcos.c#L683) | ||
- lack of checking file length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-starcos.c#L671) | ||
- found via fuzz_pkcs15init | ||
- [iasecc_sdo_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L763), [iasecc_se_parse](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L331) | ||
- missing checks for accessing data buffer (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L764 and https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/libopensc/iasecc-sdo.c#L322) | ||
- found via fuzz_pkcs15init | ||
- [setcos_generate_key](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L511) | ||
- missing check for data length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-setcos.c#L507) | ||
- found via fuzz_pkcs15init | ||
- [sc_hsm_determine_free_id](https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L144) | ||
- incorrect checking of file list length (https://github.com/OpenSC/OpenSC/blob/d5a5b5428ef1b33c71057fd173e541cdc0273485/src/pkcs15init/pkcs15-sc-hsm.c#L143) | ||
- found via fuzz_pkcs15init | ||
|
||
Affected versions: all before 0.26.0 | ||
|
||
Originally reported by Matteo Marini (Sapienza University of Rome) | ||
|
||
CVSS:3.1[/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) (3.9) |