{"containers": {"cna": {"affected": [{"product": "Tianocore", "vendor": "n/a", "versions": [{"status": "affected", "version": "See references"}]}], "descriptions": [{"lang": "en", "value": "Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access."}], "problemTypes": [{"descriptions": [{"description": "escalation of privilege", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-14T13:28:44", "orgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "shortName": "intel"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@intel.com", "ID": "CVE-2019-11098", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tianocore", "version": {"version_data": [{"version_value": "See references"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "escalation of privilege"}]}]}, "references": {"reference_data": [{"name": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability", "refsource": "MISC", "url": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:40:16.262Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"}]}]}, "cveMetadata": {"assignerOrgId": "6dda929c-bb53-4a77-a76d-48e79601a1ce", "assignerShortName": "intel", "cveId": "CVE-2019-11098", "datePublished": "2021-07-14T13:28:44", "dateReserved": "2019-04-11T00:00:00", "dateUpdated": "2024-08-04T22:40:16.262Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tianocore:edk_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2325CD2-6DB4-496A-8253-CB5AED8CE111", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access."}, {"lang": "es", "value": "Una comprobaci\u00f3n insuficiente de entrada en la funci\u00f3n MdeModulePkg en EDKII, puede permitir a un usuario no autenticado habilitar potencialmente una escalada de privilegios, Denegaci\u00f3n de Servicio y/o Divulgaci\u00f3n de Informaci\u00f3n por medio de acceso f\u00edsico"}], "id": "CVE-2019-11098", "lastModified": "2024-11-21T04:20:32.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-14T14:15:07.937", "references": [{"source": "secure@intel.com", "tags": ["Third Party Advisory"], "url": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"}], "sourceIdentifier": "secure@intel.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "edk2: Insufficient input validation in MdeModulePkg may lead to privilege escalation", "id": "2007434", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007434"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.4", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.", "An improper input validation flaw in the MdeModulePkg module of edk2 may allow an unauthenticated attacker with physical access to the system handled by edk2 to escalate his privileges and cause a denial of service or disclose information."], "name": "CVE-2019-11098", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "impact": "low", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "edk2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2019-05-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-11098\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11098\nhttps://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability"], "statement": "Within Red Hat Enterprise Linux, edk2 is used only on virtualized systems, thus in this context the attacker needs to be a local user of the host system who have already the ability to compromise the guests systems. For this reason, this flaw has a Low Impact on both Red Hat Enterprise Linux 7 and 8.", "threat_severity": "Moderate", "upstream_fix": "edk2 202008"}