Vulnerability Details : CVE-2021-38575
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
Vulnerability category: Overflow
Products affected by CVE-2021-38575
- cpe:2.3:o:insyde:kernel:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:insyde:kernel:5.1:*:*:*:*:*:*:*
- cpe:2.3:o:insyde:kernel:5.2:*:*:*:*:*:*:*
- cpe:2.3:o:insyde:kernel:5.3:*:*:*:*:*:*:*
- cpe:2.3:o:insyde:kernel:5.4:*:*:*:*:*:*:*
- cpe:2.3:o:insyde:kernel:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:tianocore:edk2:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-38575
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-38575
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2021-38575
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
-
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.Assigned by: infosec@edk2.groups.io (Secondary)
-
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Assigned by: infosec@edk2.groups.io (Secondary)
-
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Assigned by: infosec@edk2.groups.io (Secondary)
References for CVE-2021-38575
-
https://www.insyde.com/security-pledge/SA-2023025
Insyde Security Advisory 2023025 | Insyde SoftwareThird Party Advisory
-
https://bugzilla.tianocore.org/show_bug.cgi?id=3356
3356 – (CVE-2021-38575) NetworkPkg/IScsiDxe: remotely exploitable buffer overflowsExploit;Issue Tracking;Vendor Advisory
Jump to