Nixpkgs security tracker

Untriaged

Permalink CVE-2024-0914

5.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): NONE

created 4 months, 2 weeks ago

Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

References

RHSA-2024:1239 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1411 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1608 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1856 vendor-advisoryx_transferredx_refsource_REDHAT
RHSA-2024:1992 vendor-advisoryx_transferredx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-0914 x_transferredvdb-entryx_refsource_REDHAT
RHBZ#2260407 x_transferredissue-trackingx_refsource_REDHAT
https://people.redhat.com/~hkario/marvin/ x_transferred

Affected products

openCryptoki

opencryptoki

<3.23.0
*

Matching in nixpkgs

pkgs.opencryptoki

PKCS#11 implementation for Linux

nixos-unstable 3.25.0
- nixpkgs-unstable 3.25.0
- nixos-unstable-small 3.25.0

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.opencryptoki