CVE-2019-14575

Published: 31 December 2019

Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access.

Priority

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package	Release	Status
edk2 Launchpad, Ubuntu, Debian	bionic	Released (0~20180205.c0d9813c-2ubuntu0.2)
	eoan	Released (0~20190606.20d2e5a1-2ubuntu1.1)
	focal	Not vulnerable (0~20191122.bd85bf54-2ubuntu3)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (0~20160408.ffea0a2c-2ubuntu0.1)
	Patches: upstream: https://github.com/tianocore/edk2/commit/fbb96072233b5eaecf4d229cbee47b13dcab39e1 upstream: https://github.com/tianocore/edk2/commit/c13742b180095e5181e41dffda954581ecbd9b9c upstream: https://github.com/tianocore/edk2/commit/9e569700901857d0ba418ebdd30b8086b908688c upstream: https://github.com/tianocore/edk2/commit/929d1a24d12822942fd4f9fa83582e27f92de243 upstream: https://github.com/tianocore/edk2/commit/adc6898366298d1f64b91785e50095527f682758 upstream: https://github.com/tianocore/edk2/commit/a83dbf008cc73406cbdc0d5ac3164cc19fff6683 upstream: https://github.com/tianocore/edk2/commit/5cd8be6079ea7e5638903b2f3da0f4c10ec7f1da upstream: https://github.com/tianocore/edk2/commit/cb30c8f25162e6d8142c6b098f14c1e4e7f125ce upstream: https://github.com/tianocore/edk2/commit/b1c11470598416c89c67b75c991fd0773bcbab9d upstream: https://github.com/tianocore/edk2/commit/c230c002accc4281ccc57bba7153a9b2d9b9ccd3

Severity score breakdown

Parameter	Value
Base score	7.8
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Bugs

https://bugzilla.tianocore.org/show_bug.cgi?id=1608

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›