CVE-2022-37454

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-37454
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://csrc.nist.gov/projects/hash-functions/sha-3-project Third Party Advisory US Government Resource
https://eprint.iacr.org/2023/331
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ Mailing List Third Party Advisory
https://mouha.be/sha-3-buffer-overflow/ Exploit Third Party Advisory
https://news.ycombinator.com/item?id=33281106 Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=35050307
https://security.gentoo.org/glsa/202305-02
https://www.debian.org/security/2022/dsa-5267 Third Party Advisory
https://www.debian.org/security/2022/dsa-5269 Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:a:sha3_project:sha3:*:*:*:*:*:ruby:*:*

Configuration 7 (hide)

cpe:2.3:a:pysha3_project:pysha3:*:*:*:*:*:*:*:*

Configuration 8 (hide)

cpe:2.3:a:pypy:pypy:*:*:*:*:*:*:*:*
History

03 May 2023, 11:15

Type Values Removed Values Added
References
  • (MISC) https://security.gentoo.org/glsa/202305-02 -

07 Mar 2023, 04:15

Type Values Removed Values Added
References
  • (MISC) https://eprint.iacr.org/2023/331 -
  • (MISC) https://news.ycombinator.com/item?id=35050307 -

30 Nov 2022, 18:48

Type Values Removed Values Added
CPE cpe:2.3:a:sha3_project:sha3:*:*:*:*:*:ruby:*:*
cpe:2.3:a:pypy:pypy:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:a:php:php:*:*:*:*:*:*:*:*
cpe:2.3:a:pysha3_project:pysha3:*:*:*:*:*:*:*:*
First Time Fedoraproject
Php php
Debian
Pysha3 Project pysha3
Fedoraproject fedora
Sha3 Project sha3
Pypy
Python python
Php
Python
Pysha3 Project
Sha3 Project
Debian debian Linux
Pypy pypy
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html - Mailing List, Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ - Mailing List, Third Party Advisory
References (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html - (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5269 - (DEBIAN) https://www.debian.org/security/2022/dsa-5269 - Third Party Advisory
References (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ - (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ - Mailing List, Third Party Advisory
References (DEBIAN) https://www.debian.org/security/2022/dsa-5267 - (DEBIAN) https://www.debian.org/security/2022/dsa-5267 - Third Party Advisory

04 Nov 2022, 00:15

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/', 'name': 'FEDORA-2022-f2a5082860', 'tags': [], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/', 'name': 'FEDORA-2022-1ecc10276e', 'tags': [], 'refsource': 'FEDORA'}
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ -
  • (MISC) https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ -

03 Nov 2022, 18:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/ -

03 Nov 2022, 04:15

Type Values Removed Values Added
References
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5269 -

02 Nov 2022, 13:15

Type Values Removed Values Added
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/ -
  • (DEBIAN) https://www.debian.org/security/2022/dsa-5267 -

01 Nov 2022, 16:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html -

31 Oct 2022, 13:15

Type Values Removed Values Added
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html -

25 Oct 2022, 15:23

Type Values Removed Values Added
References (MISC) https://mouha.be/sha-3-buffer-overflow/ - (MISC) https://mouha.be/sha-3-buffer-overflow/ - Exploit, Third Party Advisory
References (MISC) https://news.ycombinator.com/item?id=33281106 - (MISC) https://news.ycombinator.com/item?id=33281106 - Issue Tracking, Third Party Advisory
References (MISC) https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 - (MISC) https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 - Patch, Third Party Advisory
References (MISC) https://csrc.nist.gov/projects/hash-functions/sha-3-project - (MISC) https://csrc.nist.gov/projects/hash-functions/sha-3-project - Third Party Advisory, US Government Resource
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-190
First Time Extended Keccak Code Package Project
Extended Keccak Code Package Project extended Keccak Code Package
CPE cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*

21 Oct 2022, 06:18

Type Values Removed Values Added
New CVE
Information

Published : 2022-10-21 06:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-37454

Mitre link : CVE-2022-37454

CVE.ORG link : CVE-2022-37454

JSON object : View

Products Affected

debian

  • debian_linux

fedoraproject

  • fedora

php

  • php

sha3_project

  • sha3

pypy

  • pypy

extended_keccak_code_package_project

  • extended_keccak_code_package

pysha3_project

  • pysha3

python

  • python
CWE
CWE-190

Integer Overflow or Wraparound