INFSA-2024:5297: EDK2 security update
Information about definition
Identificator: INFSA-2024:5297
Type: security
Release date: 2024-08-27 10:12:55 UTC
Information about package
EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM.
Vulnerabilities description
- CVE-2023-45236
A security flaw has been identified in EDK2, the open-source reference implementation of the UEFI specification. This vulnerability enables an unauthorized attacker to potentially disclose sensitive information.
- CVE-2023-45237
A security flaw has been identified in the cryptographic system of EDK2, the open-source reference implementation of the UEFI specification. This vulnerability enables an unauthorized remote attacker to potentially expose sensitive information.
- CVE-2024-1298
EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2023-45236
|
no information | 7.5 | no information |
|
NIST — CVE-2023-45237
|
no information | 7.5 | no information |
|
NIST — CVE-2024-1298
|
no information | 6.0 | no information |
Updated packages