Base Score

MEDIUM6.7

CVE-2020-24455

Missing initialization of a variable in the TPM2 source may allow a privileged user to potentially enable an escalation of privilege via local access. This affects tpm2-tss before 3.0.1 and before 2.4.3.

VectorLOCAL

Published Bysecure@intel.com

Published DateFeb 26, 2021, 03:15

Weakness Type (CWE):CWE-909

CVSS Metrics

Base Score

6.7

Vector String

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://bugzilla.redhat.com/show_bug.cgi?id=1902167
https://github.com/tpm2-software/tpm2-tss/releases/tag/2.4.3
https://github.com/tpm2-software/tpm2-tss/releases/tag/3.0.1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7KPOENCMJU4DMT3BDNUBRK25B3DJ47UO/
https://security.gentoo.org/glsa/202107-10

Base Score

MEDIUM6.7

Weakness Type (CWE):CWE-909

CVSS Metrics

Base Score

6.7

Vector String

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

LOCAL

Attack Complexity (AC)

LOW

Privileges Required (PR)

HIGH

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH