VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-119k-7e76-jybz

Vulnerability ID	VCID-119k-7e76-jybz
Aliases	CVE-2024-32883
Summary	MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-354

System	Score	Found at
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
epss	0.00039	https://api.first.org/data/v1/epss?cve=CVE-2024-32883
cvssv3.1	7.7	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j
ssvc	Track	https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-32883
GHSA-m59c-q9gq-rh2j		https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:H Found at https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-30T15:26:00Z/ Found at https://github.com/mcu-tools/mcuboot/security/advisories/GHSA-m59c-q9gq-rh2j

Exploit Prediction Scoring System (EPSS)

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T18:07:25.309798+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/32xxx/CVE-2024-32883.json	38.0.0