edk2-shell

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description EDK2 UEFI Shell
Version 202108-1 [extra]

Open

Group Affected Fixed Severity Status Ticket
AVG-1360 202108-1 Medium Vulnerable
Issue Group Severity Remote Type Description
CVE-2021-28216 AVG-1360 Medium No Insufficient validation
A security issue has been found in edk2. In the function FpdtStatusCodeListenerPei(), the pointer BootPerformanceTable is read directly from an NVRAM...
CVE-2019-14560 AVG-1360 Medium No Certificate verification bypass
GetEfiGlobalVariable2() is used in some instances when looking up the SecureBoot UEFI variable. The API can fail in certain circumstances, for example, if...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2382 202105-1 202108-1 Medium Fixed
AVG-2070 202105-1 Medium Not affected
AVG-1697 202008-1 202011-1 Medium Fixed
AVG-1359 202008-1 202011-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-38575 AVG-2382 Medium Yes Arbitrary code execution
In EDK II before version 202108, a remotely exploitable buffer overflow has been found in the IScsiHexToBin() function.
CVE-2021-28213 AVG-2070 Medium No Private key recovery
Example EDK2 encrypted private key in the IpSecDxe.efi present potential security risks.
CVE-2021-28211 AVG-1697 Medium No Arbitrary code execution
A security issue was found in EDK II before version 202011. A possible heap corruption in LzmaUefiDecompressGetInfo  could lead to arbitrary code execution.
CVE-2021-28210 AVG-1697 Low No Denial of service
A security issue was found in EDK II before version 202011. An unlimited FV parsing recursion could lead to denial of service.
CVE-2019-14584 AVG-1359 Medium No Denial of service
A security issue was found in edk2 up to edk2-stable202011. AuthenticodeVerify() calls OpenSSLs d2i_PKCS7() API to parse asn encoded signed authenticode...