How severe is CVE-2023-43630?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2023-43630?

This is classified as CWE-328, which is a common weakness in software security.

CVE-2023-43630

HIGH Year: 2023

CVSS v3 Score

8.8

High

Weakness Type

CWE-328

View all →

Vulnerability Description

PCR14 is not in the list of PCRs that seal/unseal the “vault” key, but due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, fixing this issue alone would not solve the problem of the config partition not being measured correctly. Also, the “vault” key is sealed/unsealed with SHA1 PCRs instead of SHA256. This issue was somewhat mitigated due to all of the PCR extend functions updating both the values of SHA256 and SHA1 for a given PCR ID. However, due to the change that was implemented in commit “7638364bc0acf8b5c481b5ce5fea11ad44ad7fd4”, this is no longer the case for PCR14, as the code in “measurefs.go” explicitly updates only the SHA256 instance of PCR14, which means that even if PCR14 were to be added to the list of PCRs sealing/unsealing the “vault” key, changes to the config partition would still not be measured. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault”

CVE-2023-43635

HIGH

CVSS:8.8(High)

Vault Key Sealed With SHA1 PCRs The measured boot solution implemented in EVE OS leans on a PCR locking mechanism. Different parts of the system update different PCR values in the TPM, resulting in a ...

CWE-3282023

CVE-2023-46133

CRITICAL

CVSS:9.1(Critical)

CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,00...

CWE-3282023

CVE-2023-46233

CRITICAL

CVSS:9.1(Critical)

crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than curren...

CWE-3282023

CVE-2024-48847

HIGH

CVSS:9.1(Critical)

MD5 Checksum Bypass vulnerabilities where found exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes. Affected products: ABB ASPECT - Enterprise v3.08...

CWE-3282024

CVE-2022-45141

CRITICAL

CVSS:9.8(Critical)

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory...

CWE-3282022

CVE-2025-27595

CRITICAL

CVSS:9.8(Critical)

The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.

CWE-3282025

CVE-2023-43630

Vulnerability Description

Related Vulnerabilities

CVE-2023-43635

CVE-2023-46133

CVE-2023-46233

CVE-2024-48847

CVE-2022-45141

CVE-2025-27595