{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-16T00:00:00Z",
  "bugzilla" : {
    "description" : "edk2: Predictable TCP Initial Sequence Numbers",
    "id" : "2258703",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2258703"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This\nvulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Confidentiality.", "A security flaw has been identified in EDK2, the open-source reference implementation of the UEFI specification. This vulnerability enables an unauthorized attacker to potentially disclose sensitive information." ],
  "statement" : "The identified flaw in the NetworkPkg IP stack within the EDK2, an open-source UEFI implementation, poses a moderate security concern as the vulnerability allows an unauthenticated attacker within the same local network to exploit.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-08-13T00:00:00Z",
    "advisory" : "RHSA-2024:5297",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "edk2-0:20220126gitbb1bba3d77-13.el8_10.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-07-23T00:00:00Z",
    "advisory" : "RHSA-2024:4749",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "edk2-0:20231122-6.el9_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-07-09T00:00:00Z",
    "advisory" : "RHSA-2024:4419",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "edk2-0:20221207gitfff6d81270b5-9.el9_2.3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-45236\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45236\nhttps://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html\nhttps://github.com/advisories/GHSA-fqc4-ffq5-4r98" ],
  "name" : "CVE-2023-45236",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}