AZL-31944

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31944.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-31944

Upstream

CVE-2023-40661

Published

2023-11-06T17:15:11Z

Modified

2026-04-01T05:10:30.333309Z

Severity

6.4 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2023-40661 affecting package opensc for versions less than 0.23.0-5

Details

Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-40661

Affected packages

Azure Linux:2 / opensc

Package

Name: opensc
Purl: pkg:rpm/azure-linux/opensc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.23.0-5

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-31944.json"