CVE-2022-23004

When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities	Product Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:westerndigital:sweet_b:1:*:*:*:*:*:*:*

History

05 Aug 2022, 18:49

Type	Values Removed	Values Added
References	~~(MISC) https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities -~~	(MISC) https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities - Product, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:westerndigital:sweet_b:1:::::::*
First Time		Westerndigital Westerndigital sweet B
CWE		CWE-682

29 Jul 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-07-29 19:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-23004

Mitre link : CVE-2022-23004

CVE.ORG link : CVE-2022-23004

JSON object : View

Products Affected

westerndigital

sweet_b

CWE

CWE-682

Incorrect Calculation

CWE-703

Improper Check or Handling of Exceptional Conditions

CWE-707

Improper Neutralization

{"id": "CVE-2022-23004", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@wdc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-07-29T19:15:08.417", "references": [{"url": "https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities", "tags": ["Product", "Vendor Advisory"], "source": "psirt@wdc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-682"}]}, {"type": "Secondary", "source": "psirt@wdc.com", "description": [{"lang": "en", "value": "CWE-703"}, {"lang": "en", "value": "CWE-707"}]}], "descriptions": [{"lang": "en", "value": "When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components."}, {"lang": "es", "value": "Cuando es calculado un secreto compartido o una multiplicaci\u00f3n de puntos en la curva P-256 de NIST usando una clave p\u00fablica con una coordenada X de cero, la biblioteca devuelve un error y es escrito en el b\u00fafer de salida un valor inv\u00e1lido no reducido. Esto puede ser aprovechado por un atacante para causar un escenario de error, resultando en una denegaci\u00f3n de servicio limitada para un usuario individual. El alcance del impacto no puede extenderse a otros componentes"}], "lastModified": "2022-08-05T18:49:10.837", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:westerndigital:sweet_b:1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD0868BB-4143-41EC-9A15-C16C98EF851C"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@wdc.com"}