csaf_suse - suse-su-2023:4104-1

Vulnerability from csaf_suse

Published

2023-10-17 15:36

Modified

2023-10-17 15:36

Summary

Security update for opensc

Notes

Title of the patch

Security update for opensc

Description of the patch

This update for opensc fixes the following issues: - CVE-2023-40660: Fixed a PIN bypass that could be triggered when cards tracked their own login state (bsc#1215762). - CVE-2023-40661: Fixed several memory safety issues that could happen during the card enrollment process using pkcs15-init (bsc#1215761).

Patchnames

SUSE-2023-4104,SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-4104,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4104,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4104,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP1-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4104,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4104,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4104,SUSE-SUSE-MicroOS-5.1-2023-4104,SUSE-SUSE-MicroOS-5.2-2023-4104,SUSE-Storage-7.1-2023-4104

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for opensc",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for opensc fixes the following issues:\n\n- CVE-2023-40660: Fixed a PIN bypass that could be triggered when\n  cards tracked their own login state (bsc#1215762).\n- CVE-2023-40661: Fixed several memory safety issues that could happen\n  during the card enrollment process using pkcs15-init (bsc#1215761).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2023-4104,SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-4104,SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4104,SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4104,SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4104,SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP1-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4104,SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4104,SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-4104,SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4104,SUSE-SUSE-MicroOS-5.1-2023-4104,SUSE-SUSE-MicroOS-5.2-2023-4104,SUSE-Storage-7.1-2023-4104",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_4104-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2023:4104-1",
        "url": "https://www.suse.com/support/update/announcement/2023/suse-su-20234104-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2023:4104-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-October/016707.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1215761",
        "url": "https://bugzilla.suse.com/1215761"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1215762",
        "url": "https://bugzilla.suse.com/1215762"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-40660 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-40660/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-40661 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-40661/"
      }
    ],
    "title": "Security update for opensc",
    "tracking": {
      "current_release_date": "2023-10-17T15:36:49Z",
      "generator": {
        "date": "2023-10-17T15:36:49Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2023:4104-1",
      "initial_release_date": "2023-10-17T15:36:49Z",
      "revision_history": [
        {
          "date": "2023-10-17T15:36:49Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-0.19.0-150100.3.25.1.aarch64",
                "product": {
                  "name": "opensc-0.19.0-150100.3.25.1.aarch64",
                  "product_id": "opensc-0.19.0-150100.3.25.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-64bit-0.19.0-150100.3.25.1.aarch64_ilp32",
                "product": {
                  "name": "opensc-64bit-0.19.0-150100.3.25.1.aarch64_ilp32",
                  "product_id": "opensc-64bit-0.19.0-150100.3.25.1.aarch64_ilp32"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64_ilp32"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-0.19.0-150100.3.25.1.i586",
                "product": {
                  "name": "opensc-0.19.0-150100.3.25.1.i586",
                  "product_id": "opensc-0.19.0-150100.3.25.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-0.19.0-150100.3.25.1.ppc64le",
                "product": {
                  "name": "opensc-0.19.0-150100.3.25.1.ppc64le",
                  "product_id": "opensc-0.19.0-150100.3.25.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-0.19.0-150100.3.25.1.s390x",
                "product": {
                  "name": "opensc-0.19.0-150100.3.25.1.s390x",
                  "product_id": "opensc-0.19.0-150100.3.25.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "opensc-0.19.0-150100.3.25.1.x86_64",
                "product": {
                  "name": "opensc-0.19.0-150100.3.25.1.x86_64",
                  "product_id": "opensc-0.19.0-150100.3.25.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "opensc-32bit-0.19.0-150100.3.25.1.x86_64",
                "product": {
                  "name": "opensc-32bit-0.19.0-150100.3.25.1.x86_64",
                  "product_id": "opensc-32bit-0.19.0-150100.3.25.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-espos:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP1-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP1-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Manager Proxy 4.2",
                "product": {
                  "name": "SUSE Manager Proxy 4.2",
                  "product_id": "SUSE Manager Proxy 4.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-manager-proxy:4.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Manager Server 4.2",
                "product": {
                  "name": "SUSE Manager Server 4.2",
                  "product_id": "SUSE Manager Server 4.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-manager-server:4.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.1",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.1",
                  "product_id": "SUSE Linux Enterprise Micro 5.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-microos:5.1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Micro 5.2",
                "product": {
                  "name": "SUSE Linux Enterprise Micro 5.2",
                  "product_id": "SUSE Linux Enterprise Micro 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-microos:5.2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Enterprise Storage 7.1",
                "product": {
                  "name": "SUSE Enterprise Storage 7.1",
                  "product_id": "SUSE Enterprise Storage 7.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:ses:7.1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP1-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP1-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP1",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Manager Proxy 4.2",
          "product_id": "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Manager Proxy 4.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.ppc64le as component of SUSE Manager Server 4.2",
          "product_id": "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.ppc64le",
        "relates_to_product_reference": "SUSE Manager Server 4.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Manager Server 4.2",
          "product_id": "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Manager Server 4.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Manager Server 4.2",
          "product_id": "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Manager Server 4.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise Micro 5.1",
          "product_id": "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Linux Enterprise Micro 5.1",
          "product_id": "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Micro 5.1",
          "product_id": "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
          "product_id": "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Micro 5.2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.aarch64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.aarch64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "opensc-0.19.0-150100.3.25.1.x86_64 as component of SUSE Enterprise Storage 7.1",
          "product_id": "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64"
        },
        "product_reference": "opensc-0.19.0-150100.3.25.1.x86_64",
        "relates_to_product_reference": "SUSE Enterprise Storage 7.1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-40660",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-40660"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user\u0027s awareness.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-40660",
          "url": "https://www.suse.com/security/cve/CVE-2023-40660"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215762 for CVE-2023-40660",
          "url": "https://bugzilla.suse.com/1215762"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-10-17T15:36:49Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-40660"
    },
    {
      "cve": "CVE-2023-40661",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-40661"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow \r\ncompromise key generation, certificate loading, and other card management operations during enrollment.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
          "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-40661",
          "url": "https://www.suse.com/security/cve/CVE-2023-40661"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1215761 for CVE-2023-40661",
          "url": "https://bugzilla.suse.com/1215761"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Enterprise Storage 7.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Micro 5.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP1-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP2-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.aarch64",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Linux Enterprise Server 15 SP3-LTSS:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP1:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP3:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Proxy 4.2:opensc-0.19.0-150100.3.25.1.x86_64",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.ppc64le",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.s390x",
            "SUSE Manager Server 4.2:opensc-0.19.0-150100.3.25.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-10-17T15:36:49Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-40661"
    }
  ]
}

cve-2023-40661

Vulnerability from cvelistv5

Published

2023-11-06 16:58

Modified

2024-11-23 03:33

Severity ?

5.4 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Summary

Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow compromise key generation, certificate loading, and other card management operations during enrollment.

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2023:7876	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:7879	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2023-40661	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2240913	issue-tracking, x_refsource_REDHAT
	https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
	https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
	https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories

Impacted products

Vendor

Product

Version

▼

Version: 0 ≤

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:0.20.0-7.el8_9 < * cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:0.23.0-3.el9_3 < * cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:51.138Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/13/3"
          },
          {
            "name": "RHSA-2023:7876",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7876"
          },
          {
            "name": "RHSA-2023:7879",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7879"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-40661"
          },
          {
            "name": "RHBZ#2240913",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240913"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/OpenSC/OpenSC",
          "defaultStatus": "unaffected",
          "packageName": "OpenSC",
          "versions": [
            {
              "lessThan": "0.24.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.20.0-7.el8_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.23.0-3.el9_3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-09-25T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow \r\ncompromise key generation, certificate loading, and other card management operations during enrollment."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-23T03:33:10.705Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7876",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7876"
        },
        {
          "name": "RHSA-2023:7879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7879"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-40661"
        },
        {
          "name": "RHBZ#2240913",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240913"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-25T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Opensc: multiple memory issues with pkcs15-init (enrollment tool)",
      "x_redhatCweChain": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-40661",
    "datePublished": "2023-11-06T16:58:43.029Z",
    "dateReserved": "2023-08-18T08:08:53.353Z",
    "dateUpdated": "2024-11-23T03:33:10.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-40660

Vulnerability from cvelistv5

Published

2023-11-06 16:58

Modified

2024-12-04 07:16

Severity ?

6.6 (Medium) - CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user's awareness.

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2023:7876	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:7879	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2023-40660	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2240912	issue-tracking, x_refsource_REDHAT
	https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
	https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1
	https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories

Impacted products

Vendor

Product

Version

▼

Version: 0.17.0 ≤

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:0.20.0-7.el8_9 < * cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 9	Unaffected: 0:0.23.0-3.el9_3 < * cpe:/o:redhat:enterprise_linux:9::baseos
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:38:51.123Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/12/13/2"
          },
          {
            "name": "RHSA-2023:7876",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7876"
          },
          {
            "name": "RHSA-2023:7879",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7879"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-40660"
          },
          {
            "name": "RHBZ#2240912",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240912"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/OpenSC/OpenSC",
          "defaultStatus": "unaffected",
          "packageName": "OpenSC",
          "versions": [
            {
              "lessThan": "0.24.0",
              "status": "affected",
              "version": "0.17.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.20.0-7.el8_9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:0.23.0-3.el9_3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "opensc",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Upstream acknowledges Deepanjan Pal (Oracle Corporation) as the original reporter."
        }
      ],
      "datePublic": "2023-09-25T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in OpenSC packages that allow a potential PIN bypass. When a token/card is authenticated by one process, it can perform cryptographic operations in other processes when an empty zero-length pin is passed. This issue poses a security risk, particularly for OS logon/screen unlock and for small, permanently connected tokens to computers. Additionally, the token can internally track login status. This flaw allows an attacker to gain unauthorized access, carry out malicious actions, or compromise the system without the user\u0027s awareness."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "PHYSICAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-04T07:16:50.963Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:7876",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7876"
        },
        {
          "name": "RHSA-2023:7879",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7879"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-40660"
        },
        {
          "name": "RHBZ#2240912",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240912"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1"
        },
        {
          "url": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-27T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-25T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Opensc: potential pin bypass when card tracks its own login state",
      "x_redhatCweChain": "CWE-287: Improper Authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-40660",
    "datePublished": "2023-11-06T16:58:42.939Z",
    "dateReserved": "2023-08-18T08:08:53.353Z",
    "dateUpdated": "2024-12-04T07:16:50.963Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

cve-2023-40661

Vulnerability from cvelistv5

cve-2023-40660

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature