postquantum-feldman-vss 0.8.0b2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the postquantum-feldman-vss package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Covert Timing Channel PostQuantum-Feldman-VSS is a Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python Affected versions of this package are vulnerable to Covert Timing Channel through the `_find_secure_pivot` and `_secure_matrix_solve` functions. An attacker can extract secret information used in the Verifiable Secret Sharing (VSS) scheme by measuring the execution time of these functions with carefully crafted inputs. How to fix Covert Timing Channel? There is no fixed version for `PostQuantum-Feldman-VSS`.	[0,)
M Use of a Cryptographic Primitive with a Risky Implementation PostQuantum-Feldman-VSS is a Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to inadequate countermeasures in `secure_redundant_execution`. An attacker can bypass redundancy check mechanisms, extract secret polynomial coefficients during share generation or verification, force the acceptance of invalid shares during verification, and manipulate the commitment verification process to accept fraudulent commitments by exploiting the weaknesses in fault injection countermeasures. This is only exploitable if the attacker has physical access to the hardware. How to fix Use of a Cryptographic Primitive with a Risky Implementation? Upgrade `PostQuantum-Feldman-VSS` to version 0.8.0b3 or higher.	[,0.8.0b3)

Vulnerability

Vulnerable Version

Covert Timing Channel

PostQuantum-Feldman-VSS is a Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python

Affected versions of this package are vulnerable to Covert Timing Channel through the _find_secure_pivot and _secure_matrix_solve functions. An attacker can extract secret information used in the Verifiable Secret Sharing (VSS) scheme by measuring the execution time of these functions with carefully crafted inputs.

How to fix Covert Timing Channel?

There is no fixed version for PostQuantum-Feldman-VSS.

[0,)

Use of a Cryptographic Primitive with a Risky Implementation

PostQuantum-Feldman-VSS is a Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python

Affected versions of this package are vulnerable to Use of a Cryptographic Primitive with a Risky Implementation due to inadequate countermeasures in secure_redundant_execution. An attacker can bypass redundancy check mechanisms, extract secret polynomial coefficients during share generation or verification, force the acceptance of invalid shares during verification, and manipulate the commitment verification process to accept fraudulent commitments by exploiting the weaknesses in fault injection countermeasures. This is only exploitable if the attacker has physical access to the hardware.

How to fix Use of a Cryptographic Primitive with a Risky Implementation?

Upgrade PostQuantum-Feldman-VSS to version 0.8.0b3 or higher.

[,0.8.0b3)

postquantum-feldman-vss@0.8.0b2 vulnerabilities

Post-Quantum Secure Feldman's Verifiable Secret Sharing (VSS) in Python

latest version

first published

latest version published

Direct Vulnerabilities

How to fix?