Sign-up

ID

VAR-202304-2249


CVE

CVE-2023-30546


TITLE

Contiki-NG  Out-of-bounds read vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-009689

DESCRIPTION

Contiki-NG is an operating system for Internet of Things devices. An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system in versions 4.8 and prior. The problem exists in the Contiki File System (CFS) backend for the storage of data (file os/storage/antelope/storage-cfs.c). In the functions `storage_get_index` and `storage_put_index`, a buffer for merging two strings is allocated with one byte less than the maximum size of the merged strings, causing subsequent function calls to the cfs_open function to read from memory beyond the buffer size. The vulnerability has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. As a workaround, the problem can be fixed by applying the patch in Contiki-NG pull request #2425. Contiki-NG contains vulnerabilities related to out-of-bounds reads and vulnerabilities related to determining boundary conditions.Information may be obtained

Trust: 2.25

sources: NVD: CVE-2023-30546 // JVNDB: JVNDB-2023-009689 // CNNVD: CNNVD-202304-2129 // VULMON: CVE-2023-30546

AFFECTED PRODUCTS

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8

Trust: 1.0

vendor:contiki ngmodel:contiki-ngscope: - version: -

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope:eqversion: -

Trust: 0.8

vendor:contiki ngmodel:contiki-ngscope:lteversion:4.8 and earlier

Trust: 0.8

sources: JVNDB: JVNDB-2023-009689 // NVD: CVE-2023-30546

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-30546
value: HIGH

Trust: 1.0

security-advisories@github.com: CVE-2023-30546
value: CRITICAL

Trust: 1.0

NVD: CVE-2023-30546
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202304-2129
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2023-30546
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2023-30546
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-30546
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-009689 // CNNVD: CNNVD-202304-2129 // NVD: CVE-2023-30546 // NVD: CVE-2023-30546

PROBLEMTYPE DATA

problemtype:CWE-193

Trust: 1.0

problemtype:CWE-125

Trust: 1.0

problemtype:Out-of-bounds read (CWE-125) [ others ]

Trust: 0.8

problemtype: Determination of boundary conditions (CWE-193) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-009689 // NVD: CVE-2023-30546

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-2129

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202304-2129

EXTERNAL IDS

db:NVDid:CVE-2023-30546

Trust: 3.3

db:JVNDBid:JVNDB-2023-009689

Trust: 0.8

db:CNNVDid:CNNVD-202304-2129

Trust: 0.6

db:VULMONid:CVE-2023-30546

Trust: 0.1

sources: VULMON: CVE-2023-30546 // JVNDB: JVNDB-2023-009689 // CNNVD: CNNVD-202304-2129 // NVD: CVE-2023-30546

REFERENCES

url:https://github.com/contiki-ng/contiki-ng/security/advisories/ghsa-257g-w39m-5jj4

Trust: 2.5

url:https://github.com/contiki-ng/contiki-ng/pull/2425

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2023-30546

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-30546/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/193.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-30546 // JVNDB: JVNDB-2023-009689 // CNNVD: CNNVD-202304-2129 // NVD: CVE-2023-30546

SOURCES

db:VULMONid:CVE-2023-30546
db:JVNDBid:JVNDB-2023-009689
db:CNNVDid:CNNVD-202304-2129
db:NVDid:CVE-2023-30546

LAST UPDATE DATE

2024-08-14T15:00:22.720000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-30546date:2023-04-27T00:00:00
db:JVNDBid:JVNDB-2023-009689date:2023-12-06T05:57:00
db:CNNVDid:CNNVD-202304-2129date:2023-05-10T00:00:00
db:NVDid:CVE-2023-30546date:2023-05-09T14:27:08.370

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-30546date:2023-04-26T00:00:00
db:JVNDBid:JVNDB-2023-009689date:2023-12-06T00:00:00
db:CNNVDid:CNNVD-202304-2129date:2023-04-26T00:00:00
db:NVDid:CVE-2023-30546date:2023-04-26T19:15:09.070