How severe is CVE-2024-28183?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.1 out of 10.

What type of vulnerability is CVE-2024-28183?

This is classified as CWE-367, which is a common weakness in software security.

CVE-2024-28183 - MEDIUM Severity | CVSS 6.1

Vulnerability Description

ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1.

Related Vulnerabilities

CVE-2023-22397

MEDIUM

CVSS:6.1(Medium)

An Allocation of Resources Without Limits or Throttling weakness in the memory management of the Packet Forwarding Engine (PFE) on Juniper Networks Junos OS Evolved PTX10003 Series devices allows an a...

CWE-3672023

CVE-2022-48682

MEDIUM

CVSS:6.0(Medium)

In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.

CWE-3672022

CVE-2023-52556

MEDIUM

CVSS:6.2(Medium)

In OpenBSD 7.4 before errata 009, a race condition between pf(4)'s processing of packets and expiration of packet states may cause a kernel panic.

CWE-3672023

CVE-2018-1121

MEDIUM

CVSS:5.9(Medium)

procps-ng, procps is vulnerable to a process hiding through race condition. Since the kernel's proc_pid_readdir() returns PID entries in ascending numeric order, a process occupying a high PID can use...

CWE-3672018

CVE-2019-18644

MEDIUM

CVSS:5.9(Medium)

The malware scan function in Total Defense Anti-virus 11.5.2.28 is vulnerable to a TOCTOU bug; consequently, symbolic link attacks allow privileged files to be deleted.

CWE-3672019

CVE-2019-20000

MEDIUM

CVSS:5.9(Medium)

The malware scan function in BullGuard Premium Protection 20.0.371.8 has a TOCTOU issue that enables a symbolic link attack, allowing privileged files to be deleted.

CWE-3672019