CVE-2023-45237

EUVD-2023-49543
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This
 vulnerability can be exploited by an attacker to gain unauthorized 
access and potentially lead to a loss of Confidentiality.
PRNG
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
TianoCoreCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
Affected Products (NVD)
VendorProductVersion
tianocoreedk2
𝑥
≤ 202311
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
edk2
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
no-dsa
bullseye (security)
vulnerable
buster
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
bionic
needed
focal
needed
jammy
needed
lunar
ignored
mantic
ignored
noble
needed
oracular
needed
trusty
ignored
xenial
needed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
https://security.netapp.com/advisory/ntap-20240307-0011/
http://www.openwall.com/lists/oss-security/2024/01/16/2
https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h
https://security.netapp.com/advisory/ntap-20240307-0011/
https://www.kb.cert.org/vuls/id/132380