Description
An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system's security.
References (9)
Core 9
Core References
Issue Tracking, Patch
https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
Release Notes
https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
Vendor Advisory
https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7879
Third Party Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-4535
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2240914
Scores
CVSS v3
4.5
EPSS
0.0024
EPSS Percentile
46.6%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Details
CWE
CWE-125
Status
published
Products (4)
fedoraproject/fedora
38
fedoraproject/fedora
39
opensc_project/opensc
0.23.0 (3 CPE variants)
redhat/enterprise_linux
9.0
Published
Nov 06, 2023
Tracked Since
Feb 18, 2026