{
  "version": "1",
  "package": [
    {
      "name": "trusted-firmware-a",
      "layer": "meta-xilinx-core",
      "version": "2.12.0-xilinx-v2025.2",
      "products": [
        {
          "product": "arm-trusted-firmware",
          "cvesInRecord": "Yes"
        },
        {
          "product": "trusted_firmware-a",
          "cvesInRecord": "Yes"
        },
        {
          "product": "arm_trusted_firmware",
          "cvesInRecord": "Yes"
        },
        {
          "product": "arm_trusted_firmware",
          "cvesInRecord": "Yes"
        }
      ],
      "issue": [
        {
          "id": "CVE-2016-10319",
          "summary": "In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC can result in copying unexpectedly large data into secure memory because of integer overflows. This affects certain cases involving execution of both AArch64 Generic Trusted Firmware (TF) BL1 code and other firmware update code.",
          "scorev2": "4.3",
          "scorev3": "5.9",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2016-10319"
        },
        {
          "id": "CVE-2017-15031",
          "summary": "In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.",
          "scorev2": "5.0",
          "scorev3": "7.5",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-15031"
        },
        {
          "id": "CVE-2017-7563",
          "summary": "In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 Secure EL1, allowing attackers to bypass the MT_EXECUTE_NEVER protection mechanism. This issue occurs because of inconsistency in the number of execute-never bits (one bit versus two bits).",
          "scorev2": "6.8",
          "scorev3": "8.1",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7563"
        },
        {
          "id": "CVE-2017-7564",
          "summary": "In ARM Trusted Firmware through 1.3, the secure self-hosted invasive debug interface allows normal world attackers to cause a denial of service (secure world panic) via vectors involving debug exceptions and debug registers.",
          "scorev2": "5.0",
          "scorev3": "7.5",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-7564"
        },
        {
          "id": "CVE-2017-9607",
          "summary": "The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might allow attackers to write arbitrary data to secure memory, bypass the bl1_plat_mem_check protection mechanism, cause a denial of service, or possibly have unspecified other impact via a crafted AArch32 image, which triggers an integer overflow.",
          "scorev2": "5.1",
          "scorev3": "7.0",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-9607"
        },
        {
          "id": "CVE-2018-19440",
          "summary": "ARM Trusted Firmware-A allows information disclosure.",
          "scorev2": "5.0",
          "scorev3": "5.3",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-19440"
        },
        {
          "id": "CVE-2022-47630",
          "summary": "Trusted Firmware-A through 2.8 has an out-of-bounds read in the X.509 parser for parsing boot certificates. This affects downstream use of get_ext and auth_nvctr. Attackers might be able to trigger dangerous read side effects or obtain sensitive information about microarchitectural state.",
          "scorev2": "0.0",
          "scorev3": "7.4",
          "scorev4": "0.0",
          "vector": "NETWORK",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-47630"
        },
        {
          "id": "CVE-2023-31339",
          "summary": "Improper input validation in ARM\u00ae Trusted Firmware used in AMD\u2019s Zynq\u2122 UltraScale+\u2122) MPSoC/RFSoC may allow a privileged attacker to perform out of bound reads, potentially resulting in data leakage and denial of service.",
          "scorev2": "0.0",
          "scorev3": "4.8",
          "scorev4": "0.0",
          "vector": "LOCAL",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:H",
          "status": "Patched",
          "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-31339"
        }
      ]
    }
  ]
}