CVE-2023-45237 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Affected Products (NVD)

Vendor	Product	Version
tianocore	edk2	𝑥 ≤ 202311

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

edk2

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	no-dsa
bullseye (security)	vulnerable
buster	no-dsa
sid	vulnerable
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

edk2

bionic	needed
focal	needed
jammy	needed
lunar	ignored
mantic	ignored
noble	needed
oracular	needed
trusty	ignored
xenial	needed

openSUSE / SLES Releases

openSUSE Product

Release

ovmf-202202

suse enterprise sap 15 SP4	150400.5.18.1 fixed
suse enterprise server 15 SP4	150400.5.18.1 fixed

ovmf-202208

suse enterprise server 15 SP5

150500.6.9.1

fixed

ovmf-202308

suse enterprise sap 15 SP6	150600.5.14.1 fixed
suse enterprise server 15 SP6	150600.5.14.1 fixed

ovmf-202408

suse enterprise sap 15 SP7	150700.1.3 fixed
suse enterprise server 15 SP7	150700.1.3 fixed

ovmf-tools-202202

suse enterprise sap 15 SP4	150400.5.18.1 fixed
suse enterprise server 15 SP4	150400.5.18.1 fixed

ovmf-tools-202208

suse enterprise server 15 SP5

150500.6.9.1

fixed

ovmf-tools-202308

suse enterprise sap 15 SP6	150600.5.14.1 fixed
suse enterprise server 15 SP6	150600.5.14.1 fixed

ovmf-tools-202408

suse enterprise sap 15 SP7	150700.1.3 fixed
suse enterprise server 15 SP7	150700.1.3 fixed

qemu-ovmf-x86_64-202202

suse enterprise sap 15 SP4	150400.5.18.1 fixed
suse enterprise server 15 SP4	150400.5.18.1 fixed

qemu-ovmf-x86_64-202208

suse enterprise server 15 SP5

150500.6.9.1

fixed

qemu-ovmf-x86_64-202308

suse enterprise sap 15 SP6	150600.5.14.1 fixed
suse enterprise server 15 SP6	150600.5.14.1 fixed

qemu-ovmf-x86_64-202408

suse enterprise sap 15 SP7	150700.1.3 fixed
suse enterprise server 15 SP7	150700.1.3 fixed

qemu-uefi-aarch64-202202

suse enterprise server 15 SP4

150400.5.18.1

fixed

qemu-uefi-aarch64-202208

suse enterprise server 15 SP5

150500.6.9.1

fixed

qemu-uefi-aarch64-202308

suse enterprise sap 15 SP6	150600.5.14.1 fixed
suse enterprise server 15 SP6	150600.5.14.1 fixed

qemu-uefi-aarch64-202408

suse enterprise sap 15 SP7	150700.1.3 fixed
suse enterprise server 15 SP7	150700.1.3 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

edk2-aarch64

RHEL 8	0:20220126gitbb1bba3d77-13.el8_10.2 fixed
RHEL 9	0:20231122-6.el9_4.2 fixed

edk2-ovmf

RHEL 8	0:20220126gitbb1bba3d77-13.el8_10.2 fixed
RHEL 9	0:20231122-6.el9_4.2 fixed

edk2-tools

RHEL 9

0:20231122-6.el9_4.2

fixed

edk2-tools-doc

RHEL 9

0:20231122-6.el9_4.2

fixed

Common Weakness Enumeration

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

References

http://www.openwall.com/lists/oss-security/2024/01/16/2

https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h

https://security.netapp.com/advisory/ntap-20240307-0011/

http://www.openwall.com/lists/oss-security/2024/01/16/2

https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h

https://security.netapp.com/advisory/ntap-20240307-0011/

https://www.kb.cert.org/vuls/id/132380