CVE-2023-45237

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This
 vulnerability can be exploited by an attacker to gain unauthorized 
access and potentially lead to a loss of Confidentiality.
PRNG
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
TianoCoreCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 60%
VendorProductVersion
tianocoreedk2
𝑥
≤ 202311
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
edk2
bullseye (security)
vulnerable
bullseye
no-dsa
bookworm
no-dsa
buster
no-dsa
bookworm (security)
vulnerable
trixie
vulnerable
sid
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
oracular
needed
noble
needed
mantic
ignored
lunar
ignored
jammy
needed
focal
needed
bionic
needed
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
https://security.netapp.com/advisory/ntap-20240307-0011/
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
https://security.netapp.com/advisory/ntap-20240307-0011/
https://www.kb.cert.org/vuls/id/132380