CVE-2023-5992 : A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is n

Products affected by CVE-2023-5992

Redhat » Enterprise Linux » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 9.4
cpe:2.3:o:redhat:enterprise_linux_eus:9.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 9.4
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Little Endian Eus » Version: 9.4 Ppc64le
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Power Little Endian » Version: 9.0 Ppc64le
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems Eus » Version: 9.4 S390x
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 8.0 S390x
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Ibm Z Systems » Version: 9.0 S390x
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions » Version: 9.2
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions » Version: 9.4 Ppc64le
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.4_ppc64le:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Arm 64 » Version: 9.0 Aarch64
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Arm 64 » Version: 8.0 Aarch64
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux For Arm 64 Eus » Version: 9.4 Aarch64
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:*:*:*:*:*:*:*
Matching versions
Opensc Project » Opensc
Versions before (<) 0.25.0
cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-5992

EPSS FAQ

0.49%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 64 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-5992

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST	2024-02-09
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.6	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L	2.2	3.4	Red Hat, Inc.	2024-01-31
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2023-5992

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: secalert@redhat.com (Secondary)
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)

References for CVE-2023-5992

https://access.redhat.com/errata/RHSA-2024:0966

RHSA-2024:0966 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-5992

CVE-2023-5992- Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0967

RHSA-2024:0967 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992

CVE 2023 5992 · OpenSC/OpenSC Wiki · GitHub
Vendor Advisory
https://www.usenix.org/system/files/usenixsecurity24-shagam.pdf

Exploit;Technical Description
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJI2FWLY24EOPALQ43YPQEZMEP3APPPI/

[SECURITY] Fedora 39 Update: opensc-0.25.0-1.fc39 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UECKC7X4IM4YZQ5KRQMNBNKNOXLZC7RZ/

[SECURITY] Fedora 40 Update: opensc-0.25.0-1.fc40 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OWIZ5ZLO5ECYPLSTESCF7I7PQO5X6ZSU/

[SECURITY] Fedora 38 Update: opensc-0.25.0-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=2248685

2248685 – (CVE-2023-5992) CVE-2023-5992 OpenSC: Side-channel leaks while stripping encryption PKCS#1 padding
Issue Tracking

Vulnerability Details : CVE-2023-5992

Products affected by CVE-2023-5992

Exploit prediction scoring system (EPSS) score for CVE-2023-5992

CVSS scores for CVE-2023-5992

CWE ids for CVE-2023-5992

References for CVE-2023-5992