Edk2
Monthly
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Rated low severity (CVSS 3.7), this vulnerability is no authentication required.
EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An unlimited recursion in DxeCore in EDK II. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Rated low severity (CVSS 3.7), this vulnerability is no authentication required.
EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Rated high severity (CVSS 7.0). No vendor patch available.
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A heap overflow in LzmaUefiDecompressGetInfo function in EDK II. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
An unlimited recursion in DxeCore in EDK II. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.