search

witchcraze / NVD_CHECK

1 stars 0 forks source link

CHK NVD : CVE-2023-40283 - acb54df4 #4491

Open witchcraze opened 1 week ago

witchcraze commented 1 week ago

[CVE Configuration Update Request] Update Suggestion - CVE-2023-40283 - Cvss3 : 7.8

https://www.linuxkernelcves.com/cves/CVE-2023-40283 https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec/-/blob/master/issues/CVE-2023-40283.yml https://github.com/witchcraze/NVD_CHECK/blob/main/kernel/CVE-2023-40283.json

- CVE-2023-40283
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.14.0 up to (excluding) 4.14.322
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.19.0 up to (excluding) 4.19.291
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.10.0 up to (excluding) 5.10.190
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.0 up to (excluding) 5.15.126
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.4.0 up to (excluding) 5.4.253
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.1.0 up to (excluding) 6.1.45
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.4.0 up to (excluding) 6.4.10
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.5.0 up to (excluding) 6.5
- Reference
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.14.322
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.291
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.190
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.15.126
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.253
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.1.45
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.4.10
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.5
- Reference (Commit)
  - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
    - Fixed by
      - 4.14.322 (51822644a047eac2310fab0799b64e3430b5a111)
      - 4.19.291 (82cdb2ccbe43337798393369f0ceb98699fe6037)
      - 5.10.190 (06f87c96216bc5cd1094c23492274f77f1d5dd3b)
      - 5.15.126 (fbe5a2fed8156cc19eb3b956602b0a1dd46a302d)
      - 5.4.253 (a2da00d1ea1abfb04f846638e210b5b5166e3c9c)
      - 6.1.45 (29fac18499332211b2615ade356e2bd8b3269f98)
      - 6.4.10 (10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9)
      - 6.5 (1728137b33c00d5a2b5110ed7aafb42e7c32e4a1) (upstream)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/9f0caeb1deaf
- I Checked
  - XXXXXXXXXXXXXXXXXXXXXXXXXXXX is written as upstream commit in each ChangeLog
  - From XXXXXXXX commit page, XXXXXXXXXXX is the most oldest in commit-branches area
  - For 3.16.35, there is related post at lkml
  - For 3.16 series, 3.16.35 is the next release from 3.16.7 which was released at 2014
  - https://mirrors.edge.kernel.org/pub/linux/kernel/v3.x/
  - XXXX
https://nvd.nist.gov/vuln/detail/CVE-2023-40283 URI Start(Ex) Start(Inc) End(Ex) End(Inc)
cpe:/o:linux:linux_kernel 6.4.10
cpe:/o:debian:debian_linux:12.0
cpe:/o:debian:debian_linux:11.0
cpe:/o:debian:debian_linux:10.0
cpe:/o:canonical:ubuntu_linux:22.04::lts~
cpe:/o:canonical:ubuntu_linux:20.04::lts~
cpe:/o:canonical:ubuntu_linux:18.04::lts~
cpe:/o:canonical:ubuntu_linux:16.04::esm~
cpe:/o:canonical:ubuntu_linux:14.04::esm~
witchcraze commented 5 days ago 
- CVE-2023-40283
- Suggested Configuration
  - OR
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 3.5 up to (excluding) 4.14.322
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.15 up to (excluding) 4.19.291
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.253
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.190
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.126
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.45
     *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.4.10
- Reference
  - https://ubuntu.com/security/CVE-2023-40283
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.14.322
  - https://www.kernel.org/pub//linux/kernel/v4.x/ChangeLog-4.19.291
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.4.253
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.10.190
  - https://www.kernel.org/pub//linux/kernel/v5.x/ChangeLog-5.15.126
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.1.45
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.4.10
  - https://www.kernel.org/pub//linux/kernel/v6.x/ChangeLog-6.5
- Reference (Commit)
  - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
    - Fixed by
      - 4.14.322 (51822644a047eac2310fab0799b64e3430b5a111)
      - 4.19.291 (82cdb2ccbe43337798393369f0ceb98699fe6037)
      - 5.4.253 (a2da00d1ea1abfb04f846638e210b5b5166e3c9c)
      - 5.10.190 (06f87c96216bc5cd1094c23492274f77f1d5dd3b)
      - 5.15.126 (fbe5a2fed8156cc19eb3b956602b0a1dd46a302d)
      - 6.1.45 (29fac18499332211b2615ade356e2bd8b3269f98)
      - 6.4.10 (10426afe65c8bf7b24dd0c7be4dcc65f86fc99f9)
      - 6.5 (1728137b33c00d5a2b5110ed7aafb42e7c32e4a1) (upstream)
    - Will be introduced by
      - https://github.com/torvalds/linux/commit/9f0caeb1deaf (v3.5-rc1)
- I Checked
  - From ubuntu page
    - Introduced by 9f0caeb1deafa9a894ee03134f6642c3a245b1af Fixed by 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1
  - 1728137b33c00d5a2b5110ed7aafb42e7c32e4a1 is written as upstream commit in each ChangeLog
  - From 9f0caeb1deaf commit page, v3.5-rc1 is the most oldest in commit-branches area