Use of Multiple Resources with Duplicate Identifier Affecting zephyrproject-rtos/zephyr package, versions [,1.14)[2.4.0,2.6.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-ZEPHYRPROJECTRTOSZEPHYR-2365763
  • published26 Jan 2022
  • disclosed5 Oct 2021
  • creditUnknown

Introduced: 5 Oct 2021

CVE-2021-3436  (opens in a new tab)
CWE-694  (opens in a new tab)

How to fix?

Upgrade zephyrproject-rtos/zephyr to version 1.14, 2.6.0 or higher.

Overview

Affected versions of this package are vulnerable to Use of Multiple Resources with Duplicate Identifier. BT: Possible to overwrite an existing bond during keys distribution phase when the identity address of the bond is known. Zephyr versions >= 1.14.2, >= 2.4.0, >= 2.5.0 contain Use of Multiple Resources with Duplicate Identifier (CWE-694). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-j76f-35mc-4h63

References

CVSS Scores

version 3.1