{"id":"CVE-2023-40661","details":"Several memory vulnerabilities were identified within the OpenSC packages, particularly in the card enrollment process using pkcs15-init when a user or administrator enrolls cards. To take advantage of these flaws, an attacker must have physical access to the computer system and employ a custom-crafted USB device or smart card to manipulate responses to APDUs. This manipulation can potentially allow \r\ncompromise key generation, certificate loading, and other card management operations during enrollment.","modified":"2026-04-10T05:00:55.801455Z","published":"2023-11-06T17:15:11.830Z","related":["ALSA-2023:7876","ALSA-2023:7879","SUSE-SU-2023:4065-1","SUSE-SU-2023:4089-1","SUSE-SU-2023:4104-1","openSUSE-SU-2024:13314-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/11/msg00024.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00026.html"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2023/12/13/3"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3CPQOMCDWFRBMEFR5VK4N5MMXXU42ODE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLYEFIBBA37TK3UNMZN5NOJ7IWCIXLQP/"},{"type":"ADVISORY","url":"https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:7879"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2023-40661"},{"type":"ADVISORY","url":"https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1"},{"type":"ADVISORY","url":"https://github.com/OpenSC/OpenSC/wiki/OpenSC-security-advisories"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:7876"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2240913"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/opensc/opensc","events":[{"introduced":"0"},{"last_affected":"5497519ea6b4af596628f8f8f2f904bacaa3148f"},{"fixed":"97121587579e703fe653160f3a2936661d1db2ad"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.23.0"}]}}],"versions":["0.12.2","0.12.2-rc1","0.13.0","0.13.0pre1","0.13.0rc1","0.14.0","0.14.0rc2","0.14.0rtm","0.15.0","0.16.0","0.17.0","0.17.0-rc1","0.17.0-rc2","0.18.0","0.18.0-rc1","0.18.0-rc2","0.19.0","0.19.0-rc1","0.20.0","0.20.0-rc1","0.20.0-rc2","0.20.0-rc3","0.20.0-rc4","0.21.0","0.21.0-rc1","0.21.0-rc2","0.22.0","0.22.0-rc1","0.22.0-rc2","0.23.0","0.23.0-rc1","0.23.0-rc2","v0.12.2","v0.16.0-pre1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40661.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}