CVE-2022-37454 — CRITICAL (9.8)

Vulnerability Description

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Extended Keccak Code Package Project	Extended Keccak Code Package	-
Debian	Debian Linux	10.0
Fedoraproject	Fedora	35
Php	Php	>= 7.2.0, < 7.4.33
Python	Python	>= 3.6.0, < 3.7.16
Sha3 Project	Sha3	< 1.0.5
Pysha3 Project	Pysha3	All versions
Pypy	Pypy	>= 7.0.0

Related Weaknesses (CWE)

CWE-190

References

https://csrc.nist.gov/projects/hash-functions/sha-3-projectThird Party AdvisoryUS Government Resource
https://eprint.iacr.org/2023/331
https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00041.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00000.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproMailing ListThird Party Advisory
https://mouha.be/sha-3-buffer-overflow/ExploitThird Party Advisory
https://news.ycombinator.com/item?id=33281106Issue TrackingThird Party Advisory
https://news.ycombinator.com/item?id=35050307
https://security.gentoo.org/glsa/202305-02
https://www.debian.org/security/2022/dsa-5267Third Party Advisory
https://www.debian.org/security/2022/dsa-5269Third Party Advisory
https://csrc.nist.gov/projects/hash-functions/sha-3-projectThird Party AdvisoryUS Government Resource
https://eprint.iacr.org/2023/331

FAQ

What is CVE-2022-37454?

CVE-2022-37454 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic ...

How severe is CVE-2022-37454?

CVE-2022-37454 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-37454?

Check the references section above for vendor advisories and patch information. Affected products include: Extended Keccak Code Package Project Extended Keccak Code Package, Debian Debian Linux, Fedoraproject Fedora, Php Php, Python Python.