CVE-2023-25947 - Vulnerability Details - OpenCVE

The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Openatom	Openharmony

Configuration 1 [-]

cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*

No data.

References

Link	Providers
https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md

History

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Sep 2024 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openatom Openatom openharmony
CPEs	cpe:2.3:a:openharmony:openharmony:::::-:::*	cpe:2.3:o:openatom:openharmony:::::-:::*
Vendors & Products	Openharmony Openharmony openharmony	Openatom Openatom openharmony

MITRE

Status: PUBLISHED

Assigner: OpenHarmony

Published: 2023-03-10T10:45:30.665Z

Updated: 2025-03-03T20:50:14.292Z

Reserved: 2023-03-07T03:52:10.706Z

Link: CVE-2023-25947

Vulnrichment

Updated: 2024-08-02T11:39:06.548Z

NVD

Status : Modified

Published: 2023-03-10T11:15:12.377

Modified: 2024-11-21T07:50:29.843

Link: CVE-2023-25947

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-25947", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "state": "PUBLISHED", "assignerShortName": "OpenHarmony", "dateReserved": "2023-03-07T03:52:10.706Z", "datePublished": "2023-03-10T10:45:30.665Z", "dateUpdated": "2025-03-03T20:50:14.292Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenHarmony", "vendor": "OpenHarmony", "versions": [{"lessThanOrEqual": "3.1.4", "status": "affected", "version": "3.1", "versionType": "custom"}]}], "datePublic": "2023-03-11T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions <span style=\"background-color: rgb(255, 255, 255);\">has a null pointer reference vulnerability</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.<br>"}], "value": "The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions\u00a0has a null pointer reference vulnerability\u00a0which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.\n"}], "impacts": [{"capecId": "CAPEC-92", "descriptions": [{"lang": "en", "value": "CAPEC-92 Forced Integer Overflow"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2023-03-10T10:45:30.665Z"}, "references": [{"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md"}], "source": {"discovery": "UNKNOWN"}, "title": "The bundle management subsystem has a improper input validation when installing a HAP package.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.548Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-03T20:50:00.403179Z", "id": "CVE-2023-25947", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:50:14.292Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:39:06.548Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-25947", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-03T20:50:00.403179Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-03T20:50:07.660Z"}}], "cna": {"title": "The bundle management subsystem has a improper input validation when installing a HAP package.", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-92", "descriptions": [{"lang": "en", "value": "CAPEC-92 Forced Integer Overflow"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenHarmony", "product": "OpenHarmony", "versions": [{"status": "affected", "version": "3.1", "versionType": "custom", "lessThanOrEqual": "3.1.4"}], "defaultStatus": "unaffected"}], "datePublic": "2023-03-11T00:00:00.000Z", "references": [{"url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions\u00a0has a null pointer reference vulnerability\u00a0which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.\n", "supportingMedia": [{"type": "text/html", "value": "The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions <span style=\"background-color: rgb(255, 255, 255);\">has a null pointer reference vulnerability</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "shortName": "OpenHarmony", "dateUpdated": "2023-03-10T10:45:30.665Z"}}}, "cveMetadata": {"cveId": "CVE-2023-25947", "state": "PUBLISHED", "dateUpdated": "2025-03-03T20:50:14.292Z", "dateReserved": "2023-03-07T03:52:10.706Z", "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd", "datePublished": "2023-03-10T10:45:30.665Z", "assignerShortName": "OpenHarmony"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openatom:openharmony:*:*:*:*:-:*:*:*", "matchCriteriaId": "9346515D-01CC-45A7-8230-E40B8EA89ADF", "versionEndIncluding": "3.1.4", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions\u00a0has a null pointer reference vulnerability\u00a0which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.\n"}], "id": "CVE-2023-25947", "lastModified": "2024-11-21T07:50:29.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "scy@openharmony.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-10T11:15:12.377", "references": [{"source": "scy@openharmony.io", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://gitee.com/openharmony/security/blob/master/en/security-disclosure/2023/2023-03.md"}], "sourceIdentifier": "scy@openharmony.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "scy@openharmony.io", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}