How severe is CVE-2022-2503?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.7 out of 10.

What type of vulnerability is CVE-2022-2503?

This is classified as CWE-302, which is a common weakness in software security.

CVE-2022-2503 - MEDIUM Severity | CVSS 6.7

Vulnerability Description

Dm-verity is used for extending root-of-trust to root filesystems. LoadPin builds on this property to restrict module/firmware loads to just the trusted root filesystem. Device-mapper table reloads currently allow users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allows root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verify firmware updates. We recommend upgrading past commit 4caae58406f8ceb741603eee460d79bacca9b1b5

Related Vulnerabilities

CVE-2024-47086

HIGH

CVSS:6.5(Medium)

This vulnerability exists in Apex Softcell LD DP Back Office due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vu...

CWE-3022024

CVE-2024-8475

MEDIUM

CVSS:6.5(Medium)

Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables.This issue affects WiFiBurada: before 1.0.5.

CWE-3022024

CVE-2022-40703

MEDIUM

CVSS:6.1(Medium)

CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Kardia App version 5.17.1-754993421 and prior on Android allows an unauthenticated attacker with physical access to the Android devi...

CWE-3022022

CVE-2020-15074

HIGH

CVSS:7.5(High)

OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial to...

CWE-3022020

CVE-2022-3875

HIGH

CVSS:7.5(High)

A vulnerability classified as critical was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This vulnerability affects unknown code of the component API. The manipulati...

CWE-3022022

CVE-2024-22179

HIGH

CVSS:7.5(High)

The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account take...

CWE-3022024