CVE-2023-45840
HIGHBuildroot 2023.08.1 and dev commit 622698d7847 - Arbitrary Command Execution via Package Hash Checking Bypass
Title source: llmDescription
Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `riscv64-elf-toolchain` package.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/12/11/1
Exploit, Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1844
Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1844
Scores
CVSS v3
8.1
EPSS
0.0081
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-494
Status
published
Products (1)
buildroot/buildroot
2023.08.1
Published
Dec 05, 2023
Tracked Since
Feb 18, 2026