CVE-2023-45237

Advisory lineage Upstream: 0 Downstream: 13

Downstream

DEBIAN-CVE-2023-45237 OPENSUSE-SU-2024:14336-1 RHSA-2024:4419 RHSA-2024:4749 RHSA-2024:5297 SUSE-SU-2025:0407-1

Modified

Published: 16 Jan 2024, 16:11

Last modified:04 Nov 2025, 18:17

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

0.41% LOW

0% probability +0.03%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

16 Jan 2024, 16:11

Published

Vulnerability first disclosed

04 Nov 2025, 18:17

Last Modified

Vulnerability information updated

Description

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

CVSS Metrics

v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.41%• Percentile: 62%

Techniques & Countermeasures

CWE-338•Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Affected Systems

tianocore•edk2
edk2-stable202308 | ≤ 202311