CVE-2019-11098

Description

Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
edk2	25.10 questing	Not affected
	25.04 plucky	Not affected
	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Fixed 2020.11-4ubuntu0.1
	20.10 groovy	Ignored end of life
	20.04 LTS focal	Fixed 0~20191122.bd85bf54-2ubuntu3.3
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
edk2	Upstream: https://github.com/tianocore/edk2/pull/830 Upstream: https://github.com/tianocore/edk2/pull/1405 Upstream: https://github.com/tianocore/edk2/pull/830/commits/af48e7719c501df656b9bbb67f17afcf915aaf72 Upstream: https://github.com/tianocore/edk2/pull/830/commits/b85f78967701c2a7a70fb8d1f8d3d27d998bbfcd Upstream: https://github.com/tianocore/edk2/pull/830/commits/550e3be222966f8341cee08e0ff3e303ee180f79 Upstream: https://github.com/tianocore/edk2/pull/830/commits/de701382bd1ec6ca605e2a2d107b6a5f033bb1a6 Upstream: https://github.com/tianocore/edk2/pull/830/commits/10d48773432a8df8b2c8f3aaab56f064d529f720 Upstream: https://github.com/tianocore/edk2/pull/830/commits/d691e66c411360a4ad1e8207f232b944ea52310a Upstream: https://github.com/tianocore/edk2/pull/830/commits/62a8616e06848a3cf2332a5b0614d091b645988a Upstream: https://github.com/tianocore/edk2/pull/830/commits/7ea02619e9930f2f15b2cf6aa8c23345073f4aa4 Upstream: https://github.com/tianocore/edk2/pull/830/commits/b6524d7062f3e22c2c8158cdbf2e8f81b959560b Upstream: https://github.com/tianocore/edk2/pull/1405/commits/2b8656fd130e719325a63475d1d3fe747cfd31ce

Package

Patch details

edk2

Severity score breakdown

Parameter	Value
Base score	6.8 · Medium
Attack vector	Physical
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-5088-1
EDK II vulnerabilities
23 September 2021

CVE-2019-11098

Cvss 3 Severity Score

Description

Status

Patch details

Severity score breakdown

References

Related Ubuntu Security Notices (USN)

Other references