pypqc@0.0.6 vulnerabilities

Python bindings for the "PQClean" post-quantum cryptography library.

Direct Vulnerabilities

Known vulnerabilities in the pypqc package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Observable Timing Discrepancy

pypqc is a Python bindings for the "PQClean" post-quantum cryptography library.

Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the decapsulation process. An attacker that is able to submit many decapsulation requests against a single private key and to gain timing information about the decapsulation, could recover the private key.

Notes:

  1. This is only exploitable for kyber512, kyber768 and kyber1024 on Mac OS or when compiled with clang.

  2. The 0.0.7 -> 0.0.7.1 upgrade, when available, should be a drop-in replacement.

How to fix Observable Timing Discrepancy?

There is no fixed version for pypqc.

[0.0.6,)
  • H
Exposure of Sensitive Information to an Unauthorized Actor

pypqc is a Python bindings for the "PQClean" post-quantum cryptography library.

Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor due to the handling of ciphertexts against a single private key and the ability to get responses in real-time. An attacker can recover the private key by submitting many ciphertexts.

How to fix Exposure of Sensitive Information to an Unauthorized Actor?

Upgrade pypqc to version 0.0.6.1 or higher.

[,0.0.6.1)