Out-of-bounds Read Affecting keepkey/keepkey-firmware package, versions [,7.3.2)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.07% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-KEEPKEYKEEPKEYFIRMWARE-2812502
  • published9 May 2022
  • disclosed9 May 2022
  • creditChristian Reitter

Introduced: 9 May 2022

CVE-2022-30330  (opens in a new tab)
CWE-125  (opens in a new tab)

How to fix?

Upgrade keepkey/keepkey-firmware to version 7.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Read in lib/board/supervise.c which mishandles svhandler_flash_* address range checks. The bootloader can be exploited in unusual situations where the attacker has physical access, convinces the victim to install malicious firmware, or knows the victim's seed phrase.

CVSS Base Scores

version 3.1