Vulnerability in Espressif Esp-idf
CVE-2024-28183
ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attack…
Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)
EPSS: 0.000 (9.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 6.1 (Medium). Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.
Affected products
- Espressif Esp-idf — versions < 4.4.7, >= 5.0, <= 5.0.6, >= 5.1, <= 5.1.3
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8 (x_refsource_CONFIRM)
- https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05 (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de (x_refsource_MISC)
- https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-28183?
- CVE-2024-28183 is a medium-severity vulnerability in Espressif Esp-idf, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 6.1/10. Published 2024-03-25.
- How severe is CVE-2024-28183?
- Medium severity. CVSS v3 base score is 6.1 out of 10.
- Is CVE-2024-28183 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.