An issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root).
Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448
GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Debian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames.
Mend Note: Converted from WS-2023-0436, on 2024-02-29.
Vulnerable Library - sulinoswpa_supplicant-2.9
Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Vulnerable Source Files (1)
/vendor/hostapd-2.9/src/p2p/p2p_pd.c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-5290
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/hostapd-2.9/src/crypto/tls_openssl.c
### Vulnerability DetailsAn issue was discovered in Ubuntu wpa_supplicant that resulted in loading of arbitrary shared objects, which allows a local unprivileged attacker to escalate privileges to the user that wpa_supplicant runs as (usually root). Membership in the netdev group or access to the dbus interface of wpa_supplicant allow an unprivileged user to specify an arbitrary path to a module to be loaded by the wpa_supplicant process; other escalation paths might exist.
Publish Date: 2024-08-07
URL: CVE-2024-5290
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here.CVE-2023-45853
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/zlib-1.2.11.1/contrib/minizip/zip.c
### Vulnerability DetailsMiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Publish Date: 2023-10-14
URL: CVE-2023-45853
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-45853
Release Date: 2023-10-14
Fix Resolution: v1.3.1
CVE-2021-0516
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/hostapd-2.9/src/p2p/p2p_pd.c
### Vulnerability DetailsIn p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448
Publish Date: 2021-06-21
URL: CVE-2021-0516
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (9.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://source.android.com/security/bulletin/2021-06-01
Release Date: 2021-06-21
Fix Resolution: android-11.0.0_r38
CVE-2021-38185
### Vulnerable Libraries - sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.
Publish Date: 2021-08-07
URL: CVE-2021-38185
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (8.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-38185
Release Date: 2021-08-08
Fix Resolution: cpio - 2.13+dfsg-5
CVE-2021-27803
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/hostapd-2.9/src/p2p/p2p_pd.c
### Vulnerability DetailsA vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range.
Publish Date: 2021-02-26
URL: CVE-2021-27803
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 4 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-27803
Release Date: 2021-02-26
Fix Resolution: wpa_supplicant - 2.6-12,2.9-2,2.7-2,2.9-2,2.9-2,2.9-2,2.9-2,2.6-12,2.7-2,2.9-2,2.7-2,2.9-2,2.6-12,2.9-2,2.9-2,2.7-2,2.6-12,2.9-2,2.7-2;wpa_supplicant-debugsource - 2.7-2,2.9-2,2.9-2;wpa_supplicant-debuginfo - 2.9-2,2.9-2,2.6-12,2.7-2
CVE-2023-52160
### Vulnerable Libraries - sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks.
Publish Date: 2024-02-22
URL: CVE-2023-52160
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52160
Release Date: 2024-02-22
Fix Resolution: 8e6485a1bcb0baffdea9e55255a81270b768439c
CVE-2019-14866
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/cpio-2.12/src/copyout.c
### Vulnerability DetailsIn all versions of cpio before 2.13 does not properly validate input files when generating TAR archives. When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system.
Publish Date: 2020-01-07
URL: CVE-2019-14866
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (7.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14866
Release Date: 2020-01-10
Fix Resolution: release_2_13
CVE-2023-7207
### Vulnerable Library - sulinoswpa_supplicant-2.9Indipendent distro uses inary package system. Sulin is roolling donkey
Library home page: https://sourceforge.net/projects/sulinos/
Found in HEAD commit: 802457f036ab4eb3ba012bdede243dbbc52f72ec
Found in base branch: main
### Vulnerable Source Files (1)/vendor/cpio-2.12/src/copyin.c
### Vulnerability DetailsDebian's cpio contains a path traversal vulnerability. This issue was introduced by reverting CVE-2015-1197 patches which had caused a regression in --no-absolute-filenames. Upstream has since provided a proper fix to --no-absolute-filenames. Mend Note: Converted from WS-2023-0436, on 2024-02-29.
Publish Date: 2024-01-05
URL: CVE-2023-7207
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059163
Release Date: 2024-02-29
Fix Resolution: v2.14
CVE-2021-30004
### Vulnerable Libraries - sulinoswpa_supplicant-2.9, sulinoswpa_supplicant-2.9In wpa_supplicant and hostapd 2.9, forging attacks may occur because AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and tls/x509v3.c.
Publish Date: 2021-04-02
URL: CVE-2021-30004
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (6.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-30004
Release Date: 2021-04-02
Fix Resolution: wpa-supplicant - 2.9