CVE-2023-45841

Name of the Vulnerable Software and Affected Versions Buildroot versions 2023.08.1 through 2023.08.1 Buildroot dev commit 622698d7847

Description Multiple data integrity vulnerabilities exist in the package hash checking functionality. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. This issue is related to the versal-firmware package.

Recommendations For Buildroot version 2023.08.1, consider disabling the package hash checking functionality until a patch is available. For Buildroot dev commit 622698d7847, restrict access to the versal-firmware package to minimize the risk of exploitation. As a temporary workaround, avoid using the package hash checking functionality in the builder until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.