Executive Summary

Informations
Name CVE-2023-40012 First vendor Publication 2023-08-09
Vendor Cve Last vendor Modification 2023-08-16

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Overall CVSS Score 7.5
Base Score 7.5 Environmental Score 7.5
impact SubScore 3.6 Temporal Score 7.5
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact High Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Versions of uthenticode prior to the 2.x series did not check Extended Key Usages in certificates, in violation of the Authenticode X.509 certificate profile. As a result, a malicious user could produce a "signed" PE file that uthenticode would verify and consider valid using an X.509 certificate that isn't entitled to produce code signatures (e.g., a SSL certificate). By design, uthenticode does not perform full-chain validation. However, the absence of EKU validation was an unintended oversight. The 2.0.0 release series includes EKU checks. There are no workarounds to this vulnerability.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40012

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-347 Improper Verification of Cryptographic Signature
50 % CWE-325 Missing Required Cryptographic Step

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

Source Url
MISC https://github.com/trailofbits/uthenticode/commit/caeb1eb62412605f71bd96ce9bb...
https://github.com/trailofbits/uthenticode/pull/78
https://github.com/trailofbits/uthenticode/security/advisories/GHSA-gm2f-j4rj...

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2023-08-16 21:27:24
  • Multiple Updates
2023-08-10 00:27:19
  • Multiple Updates
2023-08-09 21:27:17
  • First insertion