Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2022-37454

Опубликовано: 21 окт. 2022
Источник: debian
EPSS Низкий

Описание

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
php8.1fixed8.1.12-1package
php7.4removedpackage
php7.3removedpackage
python3.10fixed3.10.9-1package
python3.9removedpackage
python3.7removedpackage
python2.7not-affectedpackage
pysha3fixed1.0.2-5package
pypy3fixed7.3.9+dfsg-5package
pypy3not-affectedbusterpackage

Примечания

  • https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658

  • https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a

  • https://mouha.be/sha-3-buffer-overflow/

  • PHP Bug: https://bugs.php.net/bug.php?id=81738

  • PHP fixed in: 7.4.33, 8.0.25, 8.1.12

  • For PHP, introduced in: https://github.com/php/php-src/commit/91663a92d1697fc30a7ba4687d73e0f63ec2baa1 (php-7.2.0alpha1)

  • Fixed by: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd (php-8.2.0RC5)

  • https://github.com/python/cpython/issues/98517

  • https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (v3.10.9)

  • https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (v3.9.16)

  • https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (v3.8.16)

  • https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (v3.7.16)

  • For Python, introduced in: https://github.com/python/cpython/commit/6fe2a75b645044ca2b5dac03e8d850567b547a9a (3.6)

  • Versions which have the OpenSSL sha3 delegation are not affected by the issue and only ship

  • source-wise the bundled _sha3 XKCP module code.

  • OpenSSL sha3 delegation added in https://github.com/python/cpython/commit/d5b3f6b7f9fc74438009af63f1de01bd77be9385 (v3.9.0b1)

  • https://python-security.readthedocs.io/vuln/sha3-buffer-overflow.html

  • pypy3 fix: https://foss.heptapod.net/pypy/pypy/-/commit/860b897b2611a4099ef9c63ce848fdec89c74b31

EPSS

Процентиль: 78%
0.01202
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2022-37454

CVSS3: 9.8
ubuntu
больше 2 лет назад

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

redhat логотип

CVE-2022-37454

CVSS3: 8.1
redhat
больше 2 лет назад

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

nvd логотип

CVE-2022-37454

CVSS3: 9.8
nvd
больше 2 лет назад

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

msrc логотип

CVE-2022-37454

CVSS3: 9.8
msrc
больше 2 лет назад

Описание отсутствует

github логотип

GHSA-6w4m-2xhg-2658

CVSS3: 9.8
github
около 2 лет назад

Buffer overflow in sponge queue functions

EPSS

Процентиль: 78%
0.01202
Низкий