CVE-2019-11098

Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 MEDIUM
PHYSICAL
LOW
NONE
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
Affected Products (NVD)
VendorProductVersion
tianocoreedk_ii
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
edk2
bookworm
2022.11-6+deb12u1
fixed
bookworm (security)
2022.11-6+deb12u1
fixed
bullseye
2020.11-2+deb11u2
fixed
bullseye (security)
2020.11-2+deb11u2
fixed
buster
no-dsa
sid
2024.08-4
fixed
stretch
no-dsa
trixie
2024.08-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
bionic
needed
focal
Fixed 0~20191122.bd85bf54-2ubuntu3.3
released
groovy
ignored
hirsute
Fixed 2020.11-4ubuntu0.1
released
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
ovmf-201911
suse enterprise server 15 SP2
150200.7.24.1
fixed
ovmf-202008
suse enterprise sap 15 SP3
150300.10.17.1
fixed
suse enterprise server 15 SP3
150300.10.17.1
fixed
ovmf-tools-201911
suse enterprise server 15 SP2
150200.7.24.1
fixed
ovmf-tools-202008
suse enterprise sap 15 SP3
150300.10.17.1
fixed
suse enterprise server 15 SP3
150300.10.17.1
fixed
qemu-ovmf-x86_64-201911
suse enterprise server 15 SP2
150200.7.24.1
fixed
qemu-ovmf-x86_64-202008
suse enterprise sap 15 SP3
150300.10.17.1
fixed
suse enterprise server 15 SP3
150300.10.17.1
fixed
qemu-uefi-aarch64-201911
suse enterprise server 15 SP2
150200.7.24.1
fixed
qemu-uefi-aarch64-202008
suse enterprise server 15 SP3
150300.10.17.1
fixed
Common Weakness Enumeration
References
https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability
https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability