{ "document": { "aggregate_severity": { "text": "Low" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2023/cve-2023-4535-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2023-4535", "tracking": { "current_release_date": "2026-01-19T22:18:34Z", "generator": { "date": "2026-01-19T22:18:34Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-4535-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2023-11-06T17:15:00Z", "revision_history": [ { "date": "2023-11-06T17:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-10-30T08:47:41Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-11-29T10:46:20Z", "number": "3", "summary": "Update document" }, { "date": "2025-12-23T19:08:30Z", "number": "4", "summary": "Update document" }, { "date": "2026-01-19T22:18:34Z", "number": "5", "summary": "Update document" } ], "status": "final", "version": "5" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" }, { "branches": [ { "category": "product_version", "name": "opensc-0:0.22.0-2.el9.i686", "product": { "name": "opensc-0:0.22.0-2.el9.i686", "product_id": "opensc-0:0.22.0-2.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/opensc@0.22.0-2.el9?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "opensc-0:0.22.0-2.el9.x86_64", "product": { "name": "opensc-0:0.22.0-2.el9.x86_64", "product_id": "opensc-0:0.22.0-2.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/opensc@0.22.0-2.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "product": { "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "product_id": "opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/opensc@0.22.0-2.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64", "product": { "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64", "product_id": "opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/opensc@0.22.0-2.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.i686" }, "product_reference": "opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "opensc-0:0.22.0-2.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.i686" }, "product_reference": "opensc-0:0.22.0-2.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64" }, "product_reference": "opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "opensc-0:0.22.0-2.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.x86_64" }, "product_reference": "opensc-0:0.22.0-2.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-4535", "cwe": { "id": "CWE-125", "name": "Out-of-bounds Read" }, "notes": [ { "category": "description", "text": "An out-of-bounds read vulnerability was found in OpenSC packages within the MyEID driver when handling symmetric key encryption. Exploiting this flaw requires an attacker to have physical access to the computer and a specially crafted USB device or smart card. This flaw allows the attacker to manipulate APDU responses and potentially gain unauthorized access to sensitive data, compromising the system's security.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.x86_64", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-4535" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2023:7879", "url": "https://access.redhat.com/errata/RHSA-2023:7879" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-4535", "url": "https://access.redhat.com/security/cve/CVE-2023-4535" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2240914", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2240914" }, { "category": "external", "summary": "https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2", "url": "https://github.com/OpenSC/OpenSC/commit/f1993dc4e0b33050b8f72a3558ee88b24c4063b2" }, { "category": "external", "summary": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651", "url": "https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651" }, { "category": "external", "summary": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1", "url": "https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1" }, { "category": "external", "summary": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories", "url": "https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/" } ], "release_date": "2023-11-06T17:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Ignored due to low severity", "product_ids": [ "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.x86_64", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64" ] }, { "category": "no_fix_planned", "details": "This issue requires physical access, a crafted USB smart card or reader, and user interaction, and it only triggers in the OpenSC MyEID driver during symmetric‑key operations; in enterprise VMs and headless servers, USB smart‑card reader access is absent by default and requires explicit passthrough, so the vulnerable code path is not reachable in standard configurations. It is an out‑of‑bounds read with low confidentiality/integrity/availability impact and no demonstrated code execution or privilege escalation. Systems that do not use MyEID cards or expose smart‑card interfaces are therefore effectively not exposed to this CVE.", "product_ids": [ "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.x86_64", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.x86_64", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.i686", "AlmaLinux-9.2:opensc-0:0.22.0-2.el9.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] } ] }