CVE-2022-37454
Severity CVSS v4.0:
Pending analysis
Type:
CWE-190
Integer Overflow or Wraparound
Publication date:
21/10/2022
Last modified:
08/05/2025
Description
The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:extended_keccak_code_package_project:extended_keccak_code_package:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | ||
| cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | 7.2.0 (including) | 7.4.33 (excluding) |
| cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | 8.0.0 (including) | 8.0.25 (excluding) |
| cpe:2.3:a:php:php:*:*:*:*:*:*:*:* | 8.1.0 (including) | 8.1.12 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.6.0 (including) | 3.7.16 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.8.0 (including) | 3.8.16 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.9.0 (including) | 3.9.16 (excluding) |
| cpe:2.3:a:python:python:*:*:*:*:*:*:*:* | 3.10.0 (including) | 3.10.9 (excluding) |
| cpe:2.3:a:sha3_project:sha3:*:*:*:*:*:ruby:*:* | 1.0.5 (excluding) | |
| cpe:2.3:a:pysha3_project:pysha3:*:*:*:*:*:*:*:* | ||
| cpe:2.3:a:pypy:pypy:*:*:*:*:*:*:*:* | 7.0.0 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://csrc.nist.gov/projects/hash-functions/sha-3-project
- https://eprint.iacr.org/2023/331
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/
- https://mouha.be/sha-3-buffer-overflow/
- https://news.ycombinator.com/item?id=33281106
- https://news.ycombinator.com/item?id=35050307
- https://security.gentoo.org/glsa/202305-02
- https://www.debian.org/security/2022/dsa-5267
- https://www.debian.org/security/2022/dsa-5269
- https://csrc.nist.gov/projects/hash-functions/sha-3-project
- https://eprint.iacr.org/2023/331
- https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658
- https://lists.debian.org/debian-lts-announce/2022/10/msg00041.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00000.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMIEXLMTW5GO36HTFFWIPB3OHZXCT3G4/
- https://mouha.be/sha-3-buffer-overflow/
- https://news.ycombinator.com/item?id=33281106
- https://news.ycombinator.com/item?id=35050307
- https://security.gentoo.org/glsa/202305-02
- https://security.netapp.com/advisory/ntap-20230203-0001/
- https://www.debian.org/security/2022/dsa-5267
- https://www.debian.org/security/2022/dsa-5269