Tpm2 Software Stack Project Tpm2 Software Stack 2.3.2

CPE Details

Tpm2 Software Stack Project Tpm2 Software Stack 2.3.2
tpm2_software_stack_project
tpm2_software_stack
2.3.2
2021-02-26
13h03 +00:00
2021-04-26
13h25 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:tpm2_software_stack_project:tpm2_software_stack:2.3.2:*:*:*:*:*:*:*

Informations

Vendor

tpm2_software_stack_project

Product

tpm2_software_stack

Version

2.3.2

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2023-22745 2023-01-19 22h12 +00:00 tpm2-tss is an open source software implementation of the Trusted Computing Group (TCG) Trusted Platform Module (TPM) 2 Software Stack (TSS2). In affected versions `Tss2_RC_SetHandler` and `Tss2_RC_Decode` both index into `layer_handler` with an 8 bit layer number, but the array only has `TPM2_ERROR_TSS2_RC_LAYER_COUNT` entries, so trying to add a handler for higher-numbered layers or decode a response code with such a layer number reads/writes past the end of the buffer. This Buffer overrun, could result in arbitrary code execution. An example attack would be a MiTM bus attack that returns 0xFFFFFFFF for the RC. Given the common use case of TPM modules an attacker must have local access to the target machine with local system privileges which allows access to the TPM system. Usually TPM access requires administrative privilege.
6.4
Medium
CVE-2020-24455 2021-02-26 01h55 +00:00 Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.
6.7
Medium
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.