CVE-2023-20677 - Vulnerability Details

In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MediaTek, Inc.

MT5221, MT6781, MT6789, MT6833, MT6855, MT6877, MT6879, MT6895, MT6983, MT7663, MT7668, MT7902, MT7921, MT8167S, MT8168, MT8169, MT8175, MT8185, MT8362A, MT8365, MT8385, MT8518, MT8532, MT8675, MT8695, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797, MT8798

affected

Version	Status	Constraints
`Android 11.0, 12.0, 13.0 / Yocto 3.1, 3.3, 4.0 / Linux-4.19 (for MT5221, MT7663, MT7668, MT7902 and MT7921 chipsets only)`	affected	—

Configuration 1 [-]

AND

OR	cpe:2.3:o:google:android:11.0:::::::*
	cpe:2.3:o:google:android:12.0:::::::*
	cpe:2.3:o:google:android:13.0:::::::*
	cpe:2.3:o:yoctoproject:yocto:3.1:::::::*
	cpe:2.3:o:yoctoproject:yocto:3.3:::::::*
	cpe:2.3:o:yoctoproject:yocto:4.0:::::::*

OR	cpe:2.3:h:mediatek:mt6781:-:::::::*
	cpe:2.3:h:mediatek:mt6789:-:::::::*
	cpe:2.3:h:mediatek:mt6833:-:::::::*
	cpe:2.3:h:mediatek:mt6855:-:::::::*
	cpe:2.3:h:mediatek:mt6877:-:::::::*
	cpe:2.3:h:mediatek:mt6879:-:::::::*
	cpe:2.3:h:mediatek:mt6895:-:::::::*
	cpe:2.3:h:mediatek:mt6983:-:::::::*
	cpe:2.3:h:mediatek:mt8167s:-:::::::*
	cpe:2.3:h:mediatek:mt8168:-:::::::*
	cpe:2.3:h:mediatek:mt8169:-:::::::*
	cpe:2.3:h:mediatek:mt8175:-:::::::*
	cpe:2.3:h:mediatek:mt8185:-:::::::*
	cpe:2.3:h:mediatek:mt8362a:-:::::::*
	cpe:2.3:h:mediatek:mt8365:-:::::::*
	cpe:2.3:h:mediatek:mt8385:-:::::::*
	cpe:2.3:h:mediatek:mt8518:-:::::::*
	cpe:2.3:h:mediatek:mt8532:-:::::::*
	cpe:2.3:h:mediatek:mt8675:-:::::::*
	cpe:2.3:h:mediatek:mt8695:-:::::::*
	cpe:2.3:h:mediatek:mt8766:-:::::::*
	cpe:2.3:h:mediatek:mt8768:-:::::::*
	cpe:2.3:h:mediatek:mt8771:-:::::::*
	cpe:2.3:h:mediatek:mt8781:-:::::::*
	cpe:2.3:h:mediatek:mt8786:-:::::::*
	cpe:2.3:h:mediatek:mt8788:-:::::::*
	cpe:2.3:h:mediatek:mt8789:-:::::::*
	cpe:2.3:h:mediatek:mt8791t:-:::::::*
	cpe:2.3:h:mediatek:mt8797:-:::::::*
	cpe:2.3:h:mediatek:mt8798:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:o:linux:linux_kernel:4.19:*:*:*:*:*:*:*

OR	cpe:2.3:h:mediatek:mt5221:-:::::::*
	cpe:2.3:h:mediatek:mt7663:-:::::::*
	cpe:2.3:h:mediatek:mt7668:-:::::::*
	cpe:2.3:h:mediatek:mt7902:-:::::::*
	cpe:2.3:h:mediatek:mt7921:-:::::::*

No data.

Project Subscriptions

Vendors	Products
Google Subscribe	Android Subscribe
Linux Subscribe	Linux Kernel Subscribe
Linuxfoundation Subscribe	Yocto Subscribe
Mediatek Subscribe	Mt5221 Subscribe Mt6781 Subscribe Mt6789 Subscribe Mt6833 Subscribe Mt6855 Subscribe Mt6877 Subscribe Mt6879 Subscribe Mt6895 Subscribe Mt6983 Subscribe Mt7663 Subscribe Mt7668 Subscribe Mt7902 Subscribe Mt7921 Subscribe Mt8167s Subscribe Mt8168 Subscribe Mt8169 Subscribe Mt8175 Subscribe Mt8185 Subscribe Mt8362a Subscribe Mt8365 Subscribe Mt8385 Subscribe Mt8518 Subscribe Mt8532 Subscribe Mt8675 Subscribe Mt8695 Subscribe Mt8766 Subscribe Mt8768 Subscribe Mt8771 Subscribe Mt8781 Subscribe Mt8786 Subscribe Mt8788 Subscribe Mt8789 Subscribe Mt8791t Subscribe Mt8797 Subscribe Mt8798 Subscribe
Yoctoproject Subscribe	Yocto Subscribe

Advisories

Source	ID	Title
EUVD	EUVD-2023-24856	In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://corp.mediatek.com/product-security-bulletin/April-2023

History

Wed, 23 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Linuxfoundation Linuxfoundation yocto
CPEs		cpe:2.3:a:linuxfoundation:yocto:3.1:::::::* cpe:2.3:a:linuxfoundation:yocto:3.3:::::::* cpe:2.3:a:linuxfoundation:yocto:4.0:::::::*
Vendors & Products		Linuxfoundation Linuxfoundation yocto
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: MediaTek

Published: 2023-04-06T00:00:00

Updated: 2024-10-23T14:21:59.661Z

Reserved: 2022-10-28T00:00:00

Link: CVE-2023-20677

Vulnrichment

Updated: 2024-08-02T09:14:39.893Z

NVD

Status : Modified

Published: 2023-04-06T18:15:09.357

Modified: 2024-11-21T07:41:20.183

Link: CVE-2023-20677

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-125

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object