Candidate: CVE-2018-3613
PublicDate: 2019-03-27 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3613
 https://bugzilla.tianocore.org/attachment.cgi?id=44
 https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-authenticated-variable-bypass.html
 https://edk2-docs.gitbooks.io/security-advisory/content/authvariable-timestamp-zeroing-on-append_write.html
Description:
 Logic issue in variable service module for EDK II/UDK2018/UDK2017/UDK2015
 may allow an authenticated user to potentially enable escalation of
 privilege, information disclosure and/or denial of service via local
 access.
Ubuntu-Description:
Notes:
Bugs:
 https://bugzilla.tianocore.org/show_bug.cgi?id=415
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_edk2:
 upstream: https://git.qemu.org/?p=edk2.git;a=commit;h=b7dc8888f31402f410c53242839271ba3b94b619
upstream_edk2: needs-triage
precise/esm_edk2: DNE
trusty_edk2: ignored (reached end-of-life)
trusty/esm_edk2: DNE (trusty was needs-triage)
xenial_edk2: ignored (end of standard support, was needs-triage)
bionic_edk2: needs-triage
cosmic_edk2: ignored (reached end-of-life)
disco_edk2: not-affected (0~20190309.89910a39-1ubuntu1)
eoan_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
focal_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
groovy_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
hirsute_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
impish_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
jammy_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)
devel_edk2: not-affected (0~20190606.20d2e5a1-1ubuntu2)