CVE-2024-38433 MEDIUM

CVE-2024-38433: Nuvoton - CWE-305: Authentication Bypass by Primary Weakness

Vendor Nuvoton
Product NPCM7xx (Poleg) BootBlock
Weakness CWE-305
Published July 11, 2024
Last update August 2, 2024

CVSS base score

6.7/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Nuvoton - CWE-305: Authentication Bypass by Primary Weakness An attacker with write access to the SPI-Flash on an NPCM7xx BMC subsystem that uses the Nuvoton BootBlock reference code can modify the u-boot image header on flash parsed by the BootBlock which could lead to arbitrary code execution.

Key dates

02Disclosure timeline

July 11, 2024 CVE published
August 2, 2024 Record updated