CVE-2013-2547

high

Description

The crypto_report_one function in crypto/crypto_user.c in the report API in the crypto user configuration API in the Linux kernel through 3.8.2 does not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability.

References

https://github.com/torvalds/linux/commit/9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6

http://www.ubuntu.com/usn/USN-1797-1

http://www.ubuntu.com/usn/USN-1796-1

http://www.ubuntu.com/usn/USN-1795-1

http://www.ubuntu.com/usn/USN-1794-1

http://www.ubuntu.com/usn/USN-1793-1

http://www.openwall.com/lists/oss-security/2013/03/05/13

http://www.mandriva.com/security/advisories?name=MDVSA-2013:176

http://lists.opensuse.org/opensuse-updates/2013-12/msg00129.html

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=9a5467bf7b6e9e02ec9c3da4e23747c05faeaac6

Details

Source: Mitre, NVD

Published: 2013-03-15

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 7.1

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Severity: High