CVE-2018-16391 - OpenCVE

Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Opensc Project	Opensc
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
opensc-0:0.19.0-3.el7	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:2154	2019-08-06T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2019:2154
https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536
https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1
https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html
https://nvd.nist.gov/vuln/detail/CVE-2018-16391
https://www.cve.org/CVERecord?id=CVE-2018-16391
https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-09-03T14:00:00

Updated: 2024-08-05T10:24:32.082Z

Reserved: 2018-09-03T00:00:00

Link: CVE-2018-16391

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-03T14:29:00.247

Modified: 2019-08-06T17:15:26.320

Link: CVE-2018-16391

Redhat

Severity : Moderate

Publid Date: 2018-09-12T00:00:00Z

Links: CVE-2018-16391 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-03T00:00:00", "descriptions": [{"lang": "en", "value": "Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-09-11T21:06:12", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"}, {"tags": ["x_refsource_MISC"], "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/"}, {"name": "RHSA-2019:2154", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2154"}, {"name": "[debian-lts-announce] 20190911 [SECURITY] [DLA 1916-1] opensc security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-16391", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536", "refsource": "MISC", "url": "https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536"}, {"name": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1", "refsource": "MISC", "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"}, {"name": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/", "refsource": "MISC", "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/"}, {"name": "RHSA-2019:2154", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2154"}, {"name": "[debian-lts-announce] 20190911 [SECURITY] [DLA 1916-1] opensc security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:24:32.082Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/"}, {"name": "RHSA-2019:2154", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2154"}, {"name": "[debian-lts-announce] 20190911 [SECURITY] [DLA 1916-1] opensc security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-16391", "datePublished": "2018-09-03T14:00:00", "dateReserved": "2018-09-03T00:00:00", "dateUpdated": "2024-08-05T10:24:32.082Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "matchCriteriaId": "85C3EC93-1A01-4E7D-9730-F8429C1CD145", "versionEndIncluding": "0.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Several buffer overflows when handling responses from a Muscle Card in muscle_list_files in libopensc/card-muscle.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact."}, {"lang": "es", "value": "Varios desbordamientos de b\u00fafer al manejar las respuestas de una Muscle Card en muscle_list_files en libopensc/card-muscle.c en OpenSC en versiones anteriores a la 0.19.0-rc1 podr\u00edan ser empleados por atacantes para proporcionar smartcards manipuladas para provocar una denegaci\u00f3n de servicio (cierre inesperado de la aplicaci\u00f3n) o, posiblemente, otro tipo de impacto sin especificar."}], "id": "CVE-2018-16391", "lastModified": "2019-08-06T17:15:26.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-03T14:29:00.247", "references": [{"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:2154"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-477b7a40136bb418b10ce271c8664536"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.19.0-rc1"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00009.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}