CVE-2023-5992 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.6 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
redhat	CNA	5.6 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 37%

Vendor	Product	Version
opensc_project	opensc	𝑥 < 0.25.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
redhat	enterprise_linux_eus	9.4
redhat	enterprise_linux_for_arm_64	8.0_aarch64:_aarch64
redhat	enterprise_linux_for_arm_64	9.0_aarch64:_aarch64
redhat	enterprise_linux_for_arm_64_eus	9.4_aarch64:_aarch64
redhat	enterprise_linux_for_ibm_z_systems	8.0_s390x:_s390x
redhat	enterprise_linux_for_ibm_z_systems	9.0_s390x:_s390x
redhat	enterprise_linux_for_ibm_z_systems_eus	9.4_s390x:_s390x
redhat	enterprise_linux_for_power_little_endian	9.0_ppc64le:_ppc64le
redhat	enterprise_linux_for_power_little_endian_eus	9.4_ppc64le:_ppc64le
redhat	enterprise_linux_server_aus	9.4
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	9.2
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	9.4_ppc64le:_ppc64le

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

opensc

bullseye	vulnerable
bookworm	no-dsa
buster	no-dsa
bullseye (security)	0.21.0-1+deb11u1 fixed
sid	0.26.0-1 fixed
trixie	0.26.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

opensc

oracular	needs-triage
noble	needs-triage
mantic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

Known Exploits!

https://www.usenix.org/system/files/usenixsecurity24-shagam.pdf

Common Weakness Enumeration

CWE-203 - Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://access.redhat.com/errata/RHSA-2024:0966

https://access.redhat.com/errata/RHSA-2024:0967

https://access.redhat.com/security/cve/CVE-2023-5992

https://bugzilla.redhat.com/show_bug.cgi?id=2248685

https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992

https://www.usenix.org/system/files/usenixsecurity24-shagam.pdf

https://access.redhat.com/errata/RHSA-2024:0966

https://access.redhat.com/errata/RHSA-2024:0967

https://access.redhat.com/security/cve/CVE-2023-5992

https://bugzilla.redhat.com/show_bug.cgi?id=2248685

https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OWIZ5ZLO5ECYPLSTESCF7I7PQO5X6ZSU/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJI2FWLY24EOPALQ43YPQEZMEP3APPPI/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UECKC7X4IM4YZQ5KRQMNBNKNOXLZC7RZ/