CVE-2022-37454
Last modified
CVE-2022-37454 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.. EPSS estimates a 5.19% chance of exploitation in the next 30 days.
Description
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Extended Keccak Code Package Project | Extended Keccak Code Package | All versions |
| Debian | Debian Linux | 10.0 |
| Debian | Debian Linux | 11.0 |
| Fedoraproject | Fedora | 35 |
| Fedoraproject | Fedora | 36 |
| Php | Php | >= 7.2.0, < 7.4.33 |
| Php | Php | >= 8.0.0, < 8.0.25 |
| Php | Php | >= 8.1.0, < 8.1.12 |
| Python | Python | >= 3.6.0, < 3.7.16 |
| Python | Python | >= 3.8.0, < 3.8.16 |
| Python | Python | >= 3.9.0, < 3.9.16 |
| Python | Python | >= 3.10.0, < 3.10.9 |
| Sha3 Project | Sha3 | < 1.0.5 |
| Pysha3 Project | Pysha3 | All versions |
| Pypy | Pypy | >= 7.0.0 |
References
- https://csrc.nist.gov/projects/hash-functions/sha-3-projectThird Party Advisory, US Government Resource
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/Mailing List, Third Party Advisory
- https://mouha.be/sha-3-buffer-overflow/Exploit, Third Party Advisory
- https://news.ycombinator.com/item?id=33281106Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5267Third Party Advisory
- https://www.debian.org/security/2022/dsa-5269Third Party Advisory
- https://csrc.nist.gov/projects/hash-functions/sha-3-projectThird Party Advisory, US Government Resource
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.htmlMailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/Mailing List, Third Party Advisory
- https://mouha.be/sha-3-buffer-overflow/Exploit, Third Party Advisory
- https://news.ycombinator.com/item?id=33281106Issue Tracking, Third Party Advisory
- https://www.debian.org/security/2022/dsa-5267Third Party Advisory
- https://www.debian.org/security/2022/dsa-5269Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-37454?
How severe is CVE-2022-37454?
How do I fix CVE-2022-37454?
Are you affected by CVE-2022-37454?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST