{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-37454", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2023-03-07T03:42:54.794928Z", "dateReserved": "2022-08-07T00:00:00", "datePublished": "2022-10-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-03-07T03:42:54.794928Z"}, "descriptions": [{"lang": "en", "value": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "unknown"}]}], "references": [{"name": "https://csrc.nist.gov/projects/hash-functions/sha-3-project", "url": "https://csrc.nist.gov/projects/hash-functions/sha-3-project"}, {"name": "https://mouha.be/sha-3-buffer-overflow/", "url": "https://mouha.be/sha-3-buffer-overflow/"}, {"name": "https://news.ycombinator.com/item?id=33281106", "url": "https://news.ycombinator.com/item?id=33281106"}, {"name": "https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658", "url": "https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658"}, {"name": "https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html"}, {"name": "https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html", "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html"}, {"name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/"}, {"name": "https://www.debian.org/security/2022/dsa-5267", "url": "https://www.debian.org/security/2022/dsa-5267"}, {"name": "https://www.debian.org/security/2022/dsa-5269", "url": "https://www.debian.org/security/2022/dsa-5269"}, {"name": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/"}, {"url": "https://eprint.iacr.org/2023/331"}, {"url": "https://news.ycombinator.com/item?id=35050307"}, {"url": "https://security.gentoo.org/glsa/202305-02"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "n/a"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:*", "matchCriteriaId": "F959FD3C-9C59-4DD6-AA90-E254F0DD815E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "76798416-0F70-4C9C-BFA2-AD2DC4DE54FA", "versionEndExcluding": "7.4.33", "versionStartIncluding": "7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "795EC7FC-4A42-4D2B-A900-02CA7770E515", "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "matchCriteriaId": "0BFF2544-41D1-41F6-A116-F7069789A585", "versionEndExcluding": "8.1.12", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C960DA8-C330-43DB-8F1C-5C00A9E7537B", "versionEndExcluding": "3.7.16", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "70B04BCE-14CC-48FD-9545-E645776C2378", "versionEndExcluding": "3.8.16", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "E28B140D-129A-4B9F-AC2B-F121E7EAD70C", "versionEndExcluding": "3.9.16", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "95E57263-9F7E-489E-9578-D89B584095B2", "versionEndExcluding": "3.10.9", "versionStartIncluding": "3.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sha3_project:sha3:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "61BEF41F-FCF7-48C9-A6D9-2B8FD7D5D9B1", "versionEndExcluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pysha3_project:pysha3:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6682145-B3AF-4CAE-9C1D-1A83C79D7BC2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pypy:pypy:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AF535F7-D275-4DA1-8450-07ED0A9BF2EB", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface."}, {"lang": "es", "value": "La implementaci\u00f3n de referencia de Keccak XKCP SHA-3 versiones anteriores a fdc6fef, presenta un desbordamiento de enteros y un desbordamiento de b\u00fafer resultante que permite a atacantes ejecutar c\u00f3digo arbitrario o eliminar las propiedades criptogr\u00e1ficas esperadas. Esto ocurre en la interfaz de la funci\u00f3n sponge"}], "id": "CVE-2022-37454", "lastModified": "2023-05-03T11:15:11.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-21T06:15:09.333", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://csrc.nist.gov/projects/hash-functions/sha-3-project"}, {"source": "cve@mitre.org", "url": "https://eprint.iacr.org/2023/331"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://mouha.be/sha-3-buffer-overflow/"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://news.ycombinator.com/item?id=33281106"}, {"source": "cve@mitre.org", "url": "https://news.ycombinator.com/item?id=35050307"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202305-02"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5267"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5269"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}