QwikSec

Security Database

CVE

CWE

Training

CVE-2023-2977

Published: Jun 1, 2023

Modified: Nov 3, 2025

PUBLISHED

Description

A vulnerbility was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible.

Vendor	Product	Versions
n/a	OpenSC	affected `opensc-0.23.0`

Weaknesses (CWE)

References

https://access.redhat.com/security/cve/CVE-2023-2977

https://bugzilla.redhat.com/show_bug.cgi?id=2211088

https://github.com/OpenSC/OpenSC/issues/2785

https://github.com/OpenSC/OpenSC/pull/2787

[debian-lts-announce] 20230621 [SECURITY] [DLA 3463-1] opensc security update

mailing-list

FEDORA-2023-29530cc60b

vendor-advisory

FEDORA-2023-2afb831742

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.